#!/bin/sh


#################################################################################
#
#  Rootkit Hunter 
# ----------------
#
# Copyright Michael Boelen ( michael AT rootkit DOT nl )
# See LICENSE file for use of this software
#
#################################################################################
# [More info at the end of this file]
#################################################################################

# Program information
PROGRAM_NAME="Rootkit Hunter"
PROGRAM_version="1.1.6"
PROGRAM_releasedate="18 August 2004"
PROGRAM_author="Michael Boelen"
PROGRAM_copyright="Copyright 2003-2004, ${PROGRAM_author}"
PROGRAM_license="
${PROGRAM_NAME} ${PROGRAM_version}, ${PROGRAM_copyright}

${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to redistribute it under the terms of the GNU General
Public License. See LICENSE for details.
"

PROGRAM_extrainfo=""


# Run as cronjob?
CRONJOB=0
CHECK=0

# Debugging
DEBUG=1
DEBUGLOG=0
CATLOGFILE=0

VERSIONCHECK=0
UPDATE=0
NOARGS=1
NOCOLORS=0

# Skip MD5 check
MD5CHECK_SKIP=0
# Skip passwd/group check
PASSWDCHECK_SKIP=0
# Application check
APPLICATION_CHECK=1


if [ "`uname`" = "SunOS" ]; then
  if [ "$RANDOM" = "$RANDOM" ]; then
    echo "WARN: Found Bourne-Shell -> Switching now to /b"
    exec /bin/ksh $0 $*
    exit 0
  fi
fi

case `uname` in
        AIX|OpenBSD|SunOS)
        # What is the default shell
        if print >/dev/null 2>&1
          then
            alias echo='print'
            E=""
            ECHOOPT="--"
            MYSHELL=ksh
          else
            E="-e"
            ECHOOPT=""
            MYSHELL=bash
        fi
        ;;
        *) E="-e" ; ECHOOPT="" ; MYSHELL=bash ;;
esac


# Be quiet (only show warnings)
QUIET=0
# Show only warnings
SHOWWARNINGSONLY=0
PERFORMKNOWNBAD=0

# Almost every system has a root of '/', but just in case of..
ROOTDIR="/"


# One way to detect our active directory (autoconf based)
#MYDIR=`dirname "$0" 2>/dev/null` || 
#echo X$0 | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
#          /^X\(\/\/\)[^/].*/{ s//\1/; q; }
#          /^X\(\/\/\)$/{ s//\1/; q; }
#          /^X\(\/\).*/{ s//\1/; q; }
#          s/.*/./; q'

# Quick scanning (instead of full scan)
QUICKSCAN=0

# Report mode (do not show footer and make a 'professional' report)
REPORTMODE=0

# Set prefix for binaries (usefull when using chrooted enviroments)
BINPREFIX=""

# Wait after every test
PAUSEAFTERTESTS=1

# Wait after warning (--skip-keypress will deactive this)
WAITONWARNING=1

# Operating system is Gentoo? (check will be performed later)
GENTOO=0


# Check parameters
PARAMCOUNT=$#
if [ $# -ge 1 ]; then
  NOARGS=0
 else
  NOARGS=1
fi

while [ $# -ge 1 ]; do
  case $1 in
      -c | --checkall) 
	  CHECK=1
	  ;;
      --bindir)
          shift
	  BINPATHS=$1
          ;;
      --configfile)
          shift
	  CONFIGFILE=$1
	  ;;
      --cronjob)
          CHECK=1
	  CRONJOB=1
          PAUSEAFTERTESTS=0
	  WAITONWARNING=0
	  ;;
      --createlogfile | --createlog | --create-log | --create-logfile)
	  DEBUG=1
          DEBUGLOG=1
	  ;;
      --dbdir)
          shift
	  DB_PATH=$1
	  ;;
      --disable-md5-check | --disable-md5check | --dmc)
          MD5CHECK_SKIP=1
	  ;;
      --disable-passwd-check | --dpc)
          PASSWDCHECK_SKIP=1
          ;;
      --display-logfile|displaylogfile|display-log|displaylog)
          CATLOGFILE=1
          ;;
      -h | --help | -?)
          NOARGS=1
          ;;
      --nocolors)
          NOCOLORS=1
	  ;;
      -q | --quiet)
          QUIET=1
          ;;
      --quick)
          QUICKSCAN=1
          ;;
      --report-mode | --reportmode)
          QUIET=1
          REPORTMODE=1
	  ;;
      --report-warnings-only)
          SHOWWARNINGSONLY=1
          QUIET=1
	  DEBUG=1
	  DEBUGLOG=1
          ;;
      -r | --rootdir)
          shift
	  ROOTDIR=$1
          ;;
      --scan-knownbad-files)
          PERFORMKNOWNBAD=1
          ;;
      --skip-application-check | --skipapplicationcheck | --skip-applicationcheck)
          APPLICATION_CHECK=0
          ;;
      --skip-keypress | --skipkeypress)
          # Don't wait after every test
          PAUSEAFTERTESTS=0
	  # Don't wait after warnings
	  WAITONWARNING=0
	  ;;
      --tmpdir)
          shift
	  TMPDIR=$1
          ;;
      --version)
          echo $ECHOOPT "${PROGRAM_NAME} ${PROGRAM_version}"
          exit 0
          ;;
      --update)
          UPDATE=1
          ;;
      --versioncheck)
          VERSIONCHECK=1
	  ;;
      *)
          echo "Fatal: Invalid option $1"
	  exit 1
	  ;;
  esac
  shift
done

if [ "${DEBUGLOG}" -eq 0 ]
  then
    # Through the drain...
    DEBUGFILE="/dev/null"
  else
    if [ -d "/var/log" ]
      then
        DEBUGFILE="/var/log/rkhunter.log"
      else
        echo "/var/log doesn't exists... no log file created"
	DEBUGFILE="/dev/null"
    fi
    # Clear debug file
    if [ -f ${DEBUGFILE} ]; then
      rm -f ${DEBUGFILE}
    fi

fi

if [ "${DEBUGFILE}" = "" ]; then
    DEBUGFILE="/dev/null"
fi

INFECTED_COUNT=0
INFECTED_NAMES=""
SCANNED_COUNT=0
MD5_COUNT=0
MD5_DIFFERENT=0

FOUNDFILE=0
FOUNDRCSIGNS=0

# Initialize grsec (grsec check)
GRSECINSTALLED=0

# Warnings
WARNING=0

if [ "${CRONJOB}" -eq 1 ]; then
  COLORS=0
  # Do not wait in cronjob mode
  PAUSEAFTERTESTS=0
  WAITONWARNING=0
 else
  if [ "${NOCOLORS}" -eq 1 ]
    then
      COLORS=0
    else
      COLORS=1
  fi
fi

if [ ${QUICKSCAN} -eq 1 -a "${CHECK}" -eq 0 ]
  then
    echo "Wrong parameter use: Quickscan option active, but scan option (-c) is missing..."
fi

# Integrity tests
STRINGSFAILED=0

if [ "${COLORS}" -eq 1 ]; then
  # Colors
  NORMAL="[0;39m" 
  warning="[33;55;1m" # yellow WARNING
  #YELLOW="[33;55;1m"
  YELLOW="[1;33m" # yellow
  WHITE="[1;37m"
  OK="[1;32m" # green OK
  DARKGRAY="[1;30m"
  green="[1;32m" # green
  red="[1;31m" # red
  BAD="[1;31m" # red BAD
fi

# Checking hostname
hostname=`hostname`

case `uname` in
AIX|SunOS)
 BEGINTIME=$SECONDS
 ;;
*)
 BEGINTIME=`date +%s`
 ;;
esac

filelist="/bin/ps /bin/ls"

# Messages
FOUNDTRACES="
             --------------------------------------------------------------------------------
	     Found parts of this rootkit/trojan by checking the default files and directories
	     Please inspect the available files, by running this check with the parameter
	     --createlogfile and check the log file (current file: $DEBUGFILE).
	     --------------------------------------------------------------------------------
	     "

defaultcolumn="60"

arg1="$1"
arg2="$2"
arg3="$3"

STATUS="0"
EGREP="egrep"


##################################################################################################
#
# Global functions
#
##################################################################################################

    jump()
      {
        # jump to position 70
        counter=${SIZE}
      }

    waitkeypress()
      {
        if [ "${WAITONWARNING}" -eq 1 -o "${PAUSEAFTERTESTS}" -eq 1 ]; then
	  if [ ${QUIET} -eq 0 ]
	    then 
	      echo ""
	      echo "[Press <ENTER> to continue]"
	      read a
	  fi
	fi
      }

    debugdate()
      {
        sdate=`date "+[%H:%M:%S] "`
        echo -n "${sdate}"
      }

    keypresspause()
      {
        if [ "${PAUSEAFTERTESTS}" -eq 1 -a "${QUIET}" -eq 0 ]; then
	  echo ""
	  echo "[Press <ENTER> to continue]"
	  read a

	fi
      }

    # Add text to logfile
    logtext()
      {
        # Add date/time to logfile
        if [ ! "$1" = "--nodate" ]; then
          debugdate >> ${DEBUGFILE}
        fi

        NE1="n"
        [ "$1" = "-n" ] && NE1="y"
        [ "$1" = "-e" ] && NE1="y"

        if [ "$NE1" = "y" ]
          then
            if [ "$MYSHELL" = "ksh" ]
              then
                [ "$1" = "-n" ] &&  echo -n "$2" >> $DEBUGFILE || echo $ECHOOPT $2 >> $DEBUGFILE
              else
                echo $1 "$2" >> $DEBUGFILE
            fi
          else
            if [ "$1" = "--nodate" ]
              then
                  echo $ECHOOPT "$2" >> ${DEBUGFILE}
              else
                  echo $ECHOOPT "$1" >> ${DEBUGFILE}
            fi
        fi


      }

    # Display text to STDOUT
    displaytext()
      {
	DODISPLAY=0
	FOUNDWARNING=0

        FOUNDWARNING1=`echo $ECHOOPT $1 | egrep 'BAD|Warning|WARNING|Watch'`
	FOUNDWARNING2=`echo $2 | egrep 'BAD|Warning|WARNING|Watch'`
	FOUNDWARNING3=`echo $3 | egrep 'BAD|Warning|WARNING|Watch'`

	if [ ! "${FOUNDWARNING1}" = "" -o ! "${FOUNDWARNING2}" = "" -o ! "${FOUNDWARNING3}" = "" ]
	  then
	    FOUNDWARNING=1
	    WARNING=1
	fi
	
        if [ "${QUIET}" -eq 1 ]
          then
	    if [ ${FOUNDWARNING} -eq 1 ]
              then
                DODISPLAY=1
		echo "Line: ${PREVIOUSTEXT}"
            fi
          else
            DODISPLAY=1
        fi
        if [ "${DODISPLAY}" -eq 1 ]; then
          NE1="n"
          [ "$1" = "-n" ] && NE1="y"
          [ "$1" = "-e" ] && NE1="y"
           if [ "$NE1" = "y" ]
            then
              if [ "$MYSHELL" = "ksh" ] 
                  then
                    [ "$1" = "-n" ] && echo -n "$2" || echo $ECHOOPT "$2"
		    PREVIOUSTEXT="$2"
                  else
		    echo $ECHOOPT $1 "$2"
		    PREVIOUSTEXT="$2"
              fi
            else
              echo $ECHOOPT "$1"
	      PREVIOUSTEXT="$1"
          fi
        fi
      }

    insertlayout()
      {
        if [ "${CRONJOB}" -eq 0 ]; then
	    LAYOUT="\033[${jump}C"
	  else
	    LAYOUT="  "
	fi
      }
      
    scanrootkit()
      {
	if [ "${ROOTKIT_TESTS}" = "" ]
	  then
	    ROOTKIT_TESTS="${SCAN_ROOTKIT}"
	  else
	    ROOTKIT_TESTS="${ROOTKIT_TESTS}, ${SCAN_ROOTKIT}"
	fi
        SCAN_STATUS=0
	JUMPCOL=`expr ${defaultcolumn} - 12`
	SIZE=`echo \'${SCAN_ROOTKIT}\' | wc -c | tr -s ' ' | tr -d ' '`
	jump=`expr ${JUMPCOL} - ${SIZE}`
	displaytext -n "   Rootkit '${SCAN_ROOTKIT}'... "
	logtext "*** Start scan ${SCAN_ROOTKIT} ***"

        for I in $SCAN_FILES; do
	  SCANNED_COUNT=`expr ${SCANNED_COUNT} + 1`
	  I=`echo ${I} | tr -s '%' ' '`	
	  logtext -n "Scanning for file ${I}... " >> ${DEBUGFILE}
	  if [ -f "${I}" ]; then
	      logtext --nodate "WARNING! Exists." >> ${DEBUGFILE}        
	      SCAN_STATUS=1
	      # Set warning value, to exit the with a nonzero state
	      WARNING=1
	    else
	      logtext --nodate "OK. Not found." >> ${DEBUGFILE}
	  fi        
        
        done

	for I in $SCAN_DIRS; do
	  I=`echo ${I} | tr -s '%' ' '`
	  logtext -n "Scanning for directory ${I}... "
	  if [ -d "${I}" ]; then
	      logtext --nodate "WARNING! Exists."
	      SCAN_STATUS=1
	    else
	      logtext --nodate "OK. Not found."
	  fi        
	done

	# Scan ksyms file
	if [ ! "${SCAN_KSYMS}" = "" -a -f ${ROOTDIR}proc/ksyms ]
	  then
	    SEARCHTEXT=`cat ${ROOTDIR}proc/ksyms | grep ${SCAN_KSYMS}`
	    if [ ! "${SEARCHTEXT}" = "" ]
	      then
	        logtext "WARNING! Found ${SCAN_KSYMS}"
	      else
	        logtext "ksyms file seems to be clean"
	    fi

	fi

        if [ "${SCAN_STATUS}" -eq 1 ]
	  then
	    insertlayout
	    displaytext -e "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
	    INFECTED_COUNT=`expr ${INFECTED_COUNT} + 1`
	    INFECTED_NAMES="${INFECTED_NAMES}${SCAN_ROOTKIT} "
	    displaytext "${FOUNDTRACES}"
	    
    	    # Run routine
	    waitkeypress

          else
	    insertlayout
	    displaytext -e "${LAYOUT}[ ${OK}OK${NORMAL} ]"
	fi
      }

    scanrootkit_suckit_extra_checks()
      {
        if [ "${OPERATING_SYSTEM}" = "Linux" ]
	  then
	    if [ ${STATFOUND} -eq 1 ]
	      then
    	        # Let's check the amount of links /sbin/init has
		unset i;
	        i=`stat -t /sbin/init | cut -d ' ' -f9`
	        case ${i} in
		       1) ;;
		       *) logtext "WARNING! ${SCAN_ROOTKIT} /sbin/init linkage"
		          SCAN_STATUS=1;;
	        esac
	        # Let's check xrk or mem hiding
		# Easiest way to define random?
		__RANDOM=$$$(date +%s)
	        umask 027
	        for ext in xrk mem; do
	               randf="${TMPDIR}/${__RANDOM}.${ext}"
	               test -f ${randf} || \
	               ( touch ${randf} && test -f ${randf} && rm -f ${randf} ||\
	                logtext "WARNING! ${SCAN_ROOTKIT} ${ext} hiding" )
	        done
	        # If we've got skdet (check Debian), let's use it too
	        which skdet 2>/dev/null >/dev/null && skdet
	     else
	      logtext "Info: Extended suckit tests skipped, due to missing stat binary"       
	   fi
	  else
	    logtext "Info: Extended suckit tests skipped for this operating system (no Linux architecture)"
	fi
     }


logtext "Running ${PROGRAM_NAME} ${PROGRAM_version} on ${hostname}"
logtext "${PROGRAM_license}"


##################################################################################################
#
# Configuration file
#
##################################################################################################



# Check configuration file
if [ "${CONFIGFILE}" = "" ]
  then
    if [ -f /etc/rkhunter.conf ]
      then
        CONFIGFILE="/etc/rkhunter.conf"
      else
        CONFIGFILE="/usr/local/etc/rkhunter.conf"
    fi
fi
  
MYDIR=`cat ${CONFIGFILE} | grep 'INSTALLDIR=' | sed s/INSTALLDIR=//`
if [ "${MYDIR}" = "" ]
  then
    echo "Fatal error: can't find INSTALLDIR option in configuration file (${CONFIGFILE})"
    exit 1
fi

logtext "Info: Shell ${SHELL}"

logtext "------------------------ Configuration check --------------------------"
logtext "Parsing configuration file (${CONFIGFILE})"

MAILONWARNING=`cat ${CONFIGFILE} | egrep '^MAIL-ON-WARNING=' | sed s/MAIL-ON-WARNING=//`

if [ "${MAILONWARNING}" = "" ]
  then
    logtext "Info: No mail-on-warning address configured"
  else
    logtext "Info: Sending warnings to ${MAILONWARNING}"
fi  

if [ "${TMPDIR}" = "" ]
  then
    # Search in configuration file
    TMPDIR=`cat ${CONFIGFILE} | egrep '^TMPDIR=' | sed s/TMPDIR=//`
    
    # If not available in configuration file, make it static
    if [ "${TMPDIR}" = "" ]
      then
        TMPDIR="${MYDIR}/lib/rkhunter/tmp"
    fi
fi

logtext "Info: Using ${TMPDIR} as temporary directory"


##################################################################################################


# Place where database files can be found
if [ "${DB_PATH}" = "" ]
  then
    # Search in configuration file
    DB_PATH=`cat ${CONFIGFILE} | egrep '^DBDIR=' | sed s/DBDIR=//`
    
    # If not available in configuration file, make it static
    if [ "${DB_PATH}" = "" ]
      then
        DB_PATH="${MYDIR}/lib/rkhunter/db"
    fi
fi

logtext "Info: Using ${DB_PATH} as database directory"


##################################################################################################



# Places where all binaries are stored
# If binary path is empty (no --bindir parameter used), fill in a static value
if [ "${BINPATHS}" = "" ]
  then
    BINPATHS="/usr/sbin /usr/bin /usr/local/bin /usr/local/sbin /bin /sbin"
fi
logtext "Info: Using '${BINPATHS}' as binary directory"


# File with mirrors
MIRRORFILE="${DB_PATH}/mirrors.dat"


##################################################################################################
#
# Application checks
#
##################################################################################################

IFCONFIGFOUND=0; IPFOUND=0
LYNXFOUND=0; LSFOUND=0; LSMODFOUND=0; LSOFFOUND=0
MD5FOUND=0;
NMAPFOUND=0
PERLFOUND=0; PRELINKFOUND=0; PSFOUND=0;
STATFOUND=0; STRINGSFOUND=0
WGETFOUND=0


logtext "-------------------------- Application scan ---------------------------"

for I in ${BINPATHS}; do

  J=${I}"/ip";      	if [ -f ${J} ]; then logtext "Found ${J}"; IPFOUND=1;    	 IPBINARY=${J};      	fi
  J=${I}"/ifconfig";	if [ -f ${J} ]; then logtext "Found ${J}"; IFCONFIGFOUND=1;      IFCONFIGBINARY=${J};   fi
  J=${I}"/lynx";    	if [ -f ${J} ]; then logtext "Found ${J}"; LYNXFOUND=1;	 	 LYNXBINARY=${J};       fi
  J=${I}"/ls";      	if [ -f ${J} ]; then logtext "Found ${J}"; LSFOUND=1;   	 LSBINARY=${J};         fi
  J=${I}"/lsattr";     	if [ -f ${J} ]; then logtext "Found ${J}"; LSATTRFOUND=1;  	 LSATTRBINARY=${J};     fi
  J=${I}"/lsmod";      	if [ -f ${J} ]; then logtext "Found ${J}"; LSMODFOUND=1;    	 LSMODBINARY=${J};      fi
  J=${I}"/lsof";    	if [ -f ${J} ]; then logtext "Found ${J}"; LSOFFOUND=1;    	 LSOFBINARY=${J};       fi
  J=${I}"/md5";     	if [ -f ${J} ]; then logtext "Found ${J}"; MD5FOUND=1;     	 MD5BINARY=${J};        fi
  J=${I}"/md5sum";  	if [ -f ${J} ]; then logtext "Found ${J}"; MD5FOUND=1;     	 MD5BINARY=${J};        fi
  J=${I}"/nmap";    	if [ -f ${J} ]; then logtext "Found ${J}"; NMAPFOUND=1;    	 NMAPBINARY=${J};       fi
  J=${I}"/prelink";   	if [ -f ${J} ]; then logtext "Found ${J}"; PRELINKFOUND=1; 	 PRELINKBINARY=${J};    fi
  J=${I}"/ps";      	if [ -f ${J} ]; then logtext "Found ${J}"; PSFOUND=1;      	 PSBINARY=${J};         fi
  J=${I}"/stat"; 	if [ -f ${J} ]; then logtext "Found ${J}"; STATFOUND=1;	   	 STATBINARY=${J};       fi
  J=${I}"/strings"; 	if [ -f ${J} ]; then logtext "Found ${J}"; STRINGSFOUND=1; 	 STRINGSBINARY=${J};    fi
  J=${I}"/wget";    	if [ -f ${J} ]; then logtext "Found ${J}"; WGETFOUND=1;    	 WGETBINARY=${J};       fi
  
  # Perl
  J=${I}"/perl";
  if [ -f ${J} ]; then
    PERLFOUND=1
    PERLBINARY=${J}
    #PERLVERSION=`${J} -V:version | tr -d "version" | tr -d '=' | tr -d "'" | tr -d ";" `
    PERLVERSION=`${J} -V:version | ${J} -pi -e "s/^version='(.*)';$/\1/"`
    logtext "Found ${J} (version ${PERLVERSION})"
  fi

done


if [ "${WGETFOUND}" -eq 1 ]; then
  logtext "Info: WGET found" >> ${DEBUGFILE}
 else
  logtext "Info: WGET not found" >> ${DEBUGFILE}
fi

if [ "${NMAPFOUND}" -eq 1 ]; then
  logtext "Info: NMAP found" >> ${DEBUGFILE}
 else
  logtext "Info: NMAP not found" >> ${DEBUGFILE}
fi

if [ "${LSOFFOUND}" -eq 1 ]; then
  logtext "Info: LSOF found" >> ${DEBUGFILE}
 else
  logtext "Info: LSOF not found" >> ${DEBUGFILE}
fi

if [ "${IPFOUND}" -eq 1 ]; then
  logtext "Info: ip found" >> ${DEBUGFILE}
 else
  logtext "Info: ip not found" >> ${DEBUGFILE}
fi



logtext "Application scan ended"

if [ ! "${MD5BINARY}" = "" ]
  then
    md5=${MD5BINARY}
fi


BACKDOORPORTS="2006"

#################################################################################
#
# Default rootkit files and directories
#
#################################################################################
#

# 55808 Variant A
W55808A_FILES="${ROOTDIR}tmp/.../r ${ROOTDIR}tmp/.../a"

# AjaKit
AJAKIT_FILES="
${ROOTDIR}dev/tux/.addr
${ROOTDIR}dev/tux/.proc
${ROOTDIR}dev/tux/.file
${ROOTDIR}lib/.libgh-gh/cleaner
${ROOTDIR}lib/.libgh-gh/Patch/patch
${ROOTDIR}lib/.libgh-gh/sb0k
"

AJAKIT_DIRS="
${ROOTDIR}dev/tux
${ROOTDIR}lib/.libgh-gh
"

AJAKIT_KSYMS=""

# aPa Kit
APAKIT_FILES="${ROOTDIR}usr/share/.aPa"
APAKIT_DIRS=""
APAKIT_KSYMS=""

# Apache Worm
APACHEWORM_FILES="${ROOTDIR}bin/.log"

# Ambient (ark) Rootkit
ARK_FILES="${ROOTDIR}usr/lib/.ark? ${ROOTDIR}dev/ptyxx/.log ${ROOTDIR}dev/ptyxx/.file"
ARK_DIRS="${ROOTDIR}dev/ptyxx"

# Balaur Rootkit 2.0 (LRK5 based)
BALAUR_FILES="
${ROOTDIR}usr/lib/liblog.o
"
BALAUR_DIRS="
${ROOTDIR}usr/lib/.kinetic
${ROOTDIR}usr/lib/.egcs
${ROOTDIR}usr/lib/.wormie
"

BALAUR_KSYMS=""

# Beastkit
BEASTKIT_FILES="${ROOTDIR}usr/sbin/arobia ${ROOTDIR}usr/sbin/idrun ${ROOTDIR}usr/lib/elm/arobia/elm ${ROOTDIR}usr/lib/elm/arobia/elm/hk ${ROOTDIR}usr/lib/elm/arobia/elm/hk.pub ${ROOTDIR}usr/lib/elm/arobia/elm/sc ${ROOTDIR}usr/lib/elm/arobia/elm/sd.pp ${ROOTDIR}usr/lib/elm/arobia/elm/sdco ${ROOTDIR}usr/lib/elm/arobia/elm/srsd"
BEASTKIT_DIRS="${ROOTDIR}lib/ldd.so/bktools"

# BOBkit
BOBKIT_FILES="
${ROOTDIR}usr/sbin/ntpsx
${ROOTDIR}usr/lib/.../ls
${ROOTDIR}usr/lib/.../netstat
${ROOTDIR}usr/lib/.../lsof
${ROOTDIR}usr/lib/.../bkit-ssh/bkit-shdcfg
${ROOTDIR}usr/lib/.../bkit-ssh/bkit-shhk
${ROOTDIR}usr/lib/.../bkit-ssh/bkit-pw
${ROOTDIR}usr/lib/.../bkit-ssh/bkit-shrs
${ROOTDIR}usr/lib/.../uconf.inv
${ROOTDIR}usr/lib/.../psr
${ROOTDIR}usr/lib/.../find
${ROOTDIR}usr/lib/.../pstree
${ROOTDIR}usr/lib/.../slocate
${ROOTDIR}usr/lib/.../du
${ROOTDIR}usr/lib/.../top
"

BOBKIT_DIRS="
${ROOTDIR}usr/lib/...
${ROOTDIR}usr/lib/.../bkit-ssh
${ROOTDIR}usr/lib/.bkit-
${ROOTDIR}tmp/.bkp
"

# CiNIK Worm (Slapper.B variant)
CINIK_DIRS="${ROOTDIR}tmp/.font-unix/.cinik"
CINIK_FILES="${ROOTDIR}tmp/.cinik"

# Danny-Boy's Abuse Kit
DANNYBOY_FILES="${ROOTDIR}dev/mdev ${ROOTDIR}usr/lib/libX.a"
DANNYBOY_DIRS=""
DANNYBOY_KSYMS=""

# Devil
DEVIL_FILES="
${ROOTDIR}var/lib/games/.src
${ROOTDIR}dev/dsx
${ROOTDIR}dev/caca
"

# Dica (T0rn variant)
DICA_FILES="
${ROOTDIR}lib/.sso
${ROOTDIR}lib/.so
${ROOTDIR}var/run/...dica/clean
${ROOTDIR}var/run/...dica/xl
${ROOTDIR}var/run/...dica/xdr
${ROOTDIR}var/run/...dica/psg
${ROOTDIR}var/run/...dica/secure
${ROOTDIR}var/run/...dica/rdx
${ROOTDIR}var/run/...dica/va
${ROOTDIR}var/run/...dica/cl.sh
${ROOTDIR}usr/bin/.etc
"

DICA_DIRS="
${ROOTDIR}var/run/...dica
${ROOTDIR}var/run/...dica/mh
${ROOTDIR}var/run/...dica/scan
"

DICA_KSYMS=""

# Dreams
DREAMS_FILES="
${ROOTDIR}dev/ttyoa
${ROOTDIR}dev/ttyof
${ROOTDIR}dev/ttyop
${ROOTDIR}usr/bin/sense
${ROOTDIR}usr/bin/sl2
${ROOTDIR}usr/bin/logclear
${ROOTDIR}usr/bin/(swapd)
${ROOTDIR}usr/bin/snfs
${ROOTDIR}usr/lib/libsss
"

DREAMS_DIRS="${ROOTDIR}dev/ida/.hpd"
DREAMS_KSYMS=""

# Duarawkz
DUARAWKZ_FILES="${ROOTDIR}usr/bin/duarawkz/loginpass"
DUARAWKZ_DIRS="${ROOTDIR}usr/bin/duarawkz"
DUARAWKZ_KSYMS=""

# Flea Linux rootkit
FLEA_FILES="
${ROOTDIR}etc/ld.so.hash
${ROOTDIR}lib/security/.config/ssh/ssh_host_key
${ROOTDIR}lib/security/.config/ssh/ssh_host_key.pub
${ROOTDIR}lib/security/.config/ssh/ssh_random_seed
${ROOTDIR}usr/bin/ssh2d
${ROOTDIR}usr/lib/ldlibns.so
${ROOTDIR}usr/lib/ldlibpst.so
${ROOTDIR}usr/lib/ldlibdu.so
${ROOTDIR}usr/lib/ldlibct.so
"

FLEA_DIRS="${ROOTDIR}lib/security/.config/ssh ${ROOTDIR}dev/..0 ${ROOTDIR}dev/..0/backup"
FLEA_KSYMS=""

# FreeBSD Rootkit
FREEBSD_RK_FILES="
${ROOTDIR}usr/lib/.fx/sched_host.2
${ROOTDIR}usr/lib/.fx/random_d.2
${ROOTDIR}usr/lib/.fx/set_pid.2
${ROOTDIR}usr/lib/.fx/cons.saver
${ROOTDIR}usr/lib/.fx/adore/adore/adore.ko
${ROOTDIR}bin/sysback
${ROOTDIR}usr/local/bin/sysback
"

FREEBSD_RK_DIRS="${ROOTDIR}usr/lib/.fx ${ROOTDIR}usr/lib/.fx/adore"

# Fuckit Rootkit
FUCKIT_FILES="
${ROOTDIR}dev/proc/fuckit/hax0r
${ROOTDIR}dev/proc/fuckit/hax0rshell
${ROOTDIR}dev/proc/fuckit/config/lports
${ROOTDIR}dev/proc/fuckit/config/rports
${ROOTDIR}dev/proc/fuckit/config/rkconf
${ROOTDIR}dev/proc/fuckit/config/password
${ROOTDIR}dev/proc/fuckit/config/progs
${ROOTDIR}dev/proc/system-bins/init
"

# GasKit Rootkit
GASKIT_FILES="${ROOTDIR}dev/dev/gaskit/sshd/sshdd"
GASKIT_DIRS="${ROOTDIR}dev/dev ${ROOTDIR}dev/dev/gaskit ${ROOTDIR}dev/dev/gaskit/sshd"

# Heroin LKM
HEROIN_FILES=""
HEROIN_DIRS=""
HEROIN_KSYMS="heroin"

# HjC Kit
HJCKIT_FILES=""
HJCKIT_DIRS="${ROOTDIR}dev/.hijackerz"
HJCKIT_KSYMS=""

# ignoKit
IGNOKIT_FILES="
${ROOTDIR}lib/defs/p
${ROOTDIR}lib/defs/q
${ROOTDIR}lib/defs/r
${ROOTDIR}lib/defs/s
${ROOTDIR}lib/defs/t
${ROOTDIR}usr/lib/defs/p
${ROOTDIR}usr/lib/defs/p
${ROOTDIR}usr/lib/defs/p
${ROOTDIR}usr/lib/defs/p
${ROOTDIR}usr/lib/defs/p
${ROOTDIR}usr/lib/.libigno/pkunsec
${ROOTDIR}usr/lib/.libigno/.igno/psybnc/psybnc
"

IGNOKIT_DIRS="
${ROOTDIR}usr/lib/.libigno
${ROOTDIR}usr/lib/.libigno/.igno/
"

IGNOKIT_KSYMS=""

# ImperalsS-FBRK (FreeBSD Rootkit)
IMPFRB_DIRS="${ROOTDIR}dev/fd/.88 ${ROOTDIR}dev/fd/.99"

# Irix Rootkit (for Irix 6.x)
IRIXRK_FILES=""
IRIXRK_DIRS="
${ROOTDIR}dev/pts/01
${ROOTDIR}dev/pts/01/backup
${ROOTDIR}dev/pts/01/etc
${ROOTDIR}dev/pts/01/tmp
"
IRIXRK_KSYMS=""

# Kitko
KITKO_FILES=""
KITKO_DIRS="${ROOTDIR}usr/src/redhat/SRPMS/..."
KITKO_KSYMS=""

# Knark
KNARK_FILES="${ROOTDIR}proc/knark/pids"
KNARK_DIRS="${ROOTDIR}proc/knark"
KNARK_KSYMS=""

# Lion Worm
LION_FILES="
${ROOTDIR}bin/in.telnetd
${ROOTDIR}bin/mjy
${ROOTDIR}usr/man/man1/man1/lib/.lib/mjy
${ROOTDIR}usr/man/man1/man1/lib/.lib/in.telnetd
${ROOTDIR}usr/man/man1/man1/lib/.lib/.x
${ROOTDIR}dev/.lib/lib/scan/1i0n.sh
${ROOTDIR}dev/.lib/lib/scan/hack.sh
${ROOTDIR}dev/.lib/lib/scan/bind
${ROOTDIR}dev/.lib/lib/scan/randb
${ROOTDIR}dev/.lib/lib/scan/scan.sh
${ROOTDIR}dev/.lib/lib/scan/pscan
${ROOTDIR}dev/.lib/lib/scan/star.sh
${ROOTDIR}dev/.lib/lib/scan/bindx.sh
${ROOTDIR}dev/.lib/lib/scan/bindname.log
${ROOTDIR}dev/.lib/lib/1i0n.sh
${ROOTDIR}dev/.lib/lib/lib/netstat
${ROOTDIR}dev/.lib/lib/lib/dev/.1addr
${ROOTDIR}dev/.lib/lib/lib/dev/.1logz
${ROOTDIR}dev/.lib/lib/lib/dev/.1proc
${ROOTDIR}dev/.lib/lib/lib/dev/.1file
"

# Lockit (a.k.a. LJK2)
LOCKIT_FILES="
${ROOTDIR}usr/lib/libmen.oo/.LJK2/ssh_config
${ROOTDIR}usr/lib/libmen.oo/.LJK2/ssh_host_key
${ROOTDIR}usr/lib/libmen.oo/.LJK2/ssh_host_key.pub
${ROOTDIR}usr/lib/libmen.oo/.LJK2/ssh_random_seed*
${ROOTDIR}usr/lib/libmen.oo/.LJK2/sshd_config
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backdoor/RK1bd
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/du
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/ifconfig
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/inetd.conf
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/locate
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/login
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/ls
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/netstat
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/ps
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/pstree
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/rc.sysinit
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/syslogd
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/tcpd
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/top
${ROOTDIR}usr/lib/libmen.oo/.LJK2/clean/RK1sauber
${ROOTDIR}usr/lib/libmen.oo/.LJK2/clean/RK1wted
${ROOTDIR}usr/lib/libmen.oo/.LJK2/hack/RK1parser
${ROOTDIR}usr/lib/libmen.oo/.LJK2/hack/RK1sniff
${ROOTDIR}usr/lib/libmen.oo/.LJK2/hide/.RK1addr
${ROOTDIR}usr/lib/libmen.oo/.LJK2/hide/.RK1dir
${ROOTDIR}usr/lib/libmen.oo/.LJK2/hide/.RK1log
${ROOTDIR}usr/lib/libmen.oo/.LJK2/hide/.RK1proc
${ROOTDIR}usr/lib/libmen.oo/.LJK2/hide/RK1phidemod.c
${ROOTDIR}usr/lib/libmen.oo/.LJK2/modules/README.modules
${ROOTDIR}usr/lib/libmen.oo/.LJK2/modules/RK1hidem.c
${ROOTDIR}usr/lib/libmen.oo/.LJK2/modules/RK1phide
${ROOTDIR}usr/lib/libmen.oo/.LJK2/sshconfig/RK1ssh
"

LOCKIT_DIRS="${ROOTDIR}usr/lib/libmen.oo/.LJK2"
LOCKIT_KSYMS=""

# MRK (MiCrobul RootKit?, based on Devil RootKit )
MRK_FILES="
${ROOTDIR}dev/ida/.inet/pid
${ROOTDIR}dev/ida/.inet/ssh_host_key
${ROOTDIR}dev/ida/.inet/ssh_random_seed
${ROOTDIR}dev/ida/.inet/tcp.log
"

MRK_DIRS="
${ROOTDIR}dev/ida/.inet
${ROOTDIR}var/spool/cron/.sh
"

# Ni0 Rootkit
NIO_FILES="
${ROOTDIR}var/lock/subsys/...datafile.../...net...
${ROOTDIR}var/lock/subsys/...datafile.../...port...
${ROOTDIR}var/lock/subsys/...datafile.../...ps...
${ROOTDIR}var/lock/subsys/...datafile.../...file...
"

NIO_DIRS="
${ROOTDIR}tmp/waza
${ROOTDIR}var/lock/subsys/...datafile...
${ROOTDIR}usr/sbin/es
"

NIO_KSYMS=""

# RootKit for SunOS / NSDAP
NSDAP_FILES="
${ROOTDIR}usr/lib/vold/nsdap/.kit
${ROOTDIR}usr/lib/vold/nsdap/defines
${ROOTDIR}usr/lib/vold/nsdap/patcher
${ROOTDIR}usr/lib/vold/nsdap/pg
${ROOTDIR}usr/lib/vold/nsdap/cleaner
${ROOTDIR}usr/lib/vold/nsdap/utime
${ROOTDIR}usr/lib/vold/nsdap/crypt
${ROOTDIR}usr/lib/vold/nsdap/findkit
${ROOTDIR}usr/lib/vold/nsdap/sn2
${ROOTDIR}usr/lib/vold/nsdap/sniffload
${ROOTDIR}usr/lib/vold/nsdap/runsniff
${ROOTDIR}usr/lib/lpset
"
NSDAP_DIRS="${ROOTDIR}usr/lib/vold/nsdap"
NSDAP_KSYMS=""

# Ohhara Rootkit
OHHARA_FILES="${ROOTDIR}var/lock/subsys/...datafile.../...datafile.../in.smbd.log"
OHHARA_DIRS="
${ROOTDIR}var/lock/subsys/...datafile...
${ROOTDIR}var/lock/subsys/...datafile.../...datafile...
${ROOTDIR}var/lock/subsys/...datafile.../...datafile.../bin
${ROOTDIR}var/lock/subsys/...datafile.../...datafile.../usr/bin
${ROOTDIR}var/lock/subsys/...datafile.../...datafile.../usr/sbin
${ROOTDIR}var/lock/subsys/...datafile.../...datafile.../lib/security
"

# Optic Kit (Tux variant)
OPTICKIT_DIRS="${ROOTDIR}dev/tux ${ROOTDIR}usr/bin/xchk ${ROOTDIR}usr/bin/xsf ${ROOTDIR}usr/bin/ssh2d"

# Oz Rootkit
OZ_FILES="${ROOTDIR}dev/.oz/.nap/rkit/terror"
OZ_DIRS="${ROOTDIR}dev/.oz"

PORTACELO_FILES="
/var/lib/.../.ak
/var/lib/.../.hk
/var/lib/.../.rs
/var/lib/.../.p
/var/lib/.../getty
/var/lib/.../lkt.o
/var/lib/.../show
/var/lib/.../nlkt.o
/var/lib/.../ssshrc
/var/lib/.../sssh_equiv
/var/lib/.../sssh_known_hosts
/var/lib/.../sssh_pid
~/.sssh/known_hosts
"

# R3dstorm Toolkit
REDSTORM_FILES="
/var/log/tk02/see_all
/bin/.../sshd/sbin/sshd1
/bin/.../hate/sk
/bin/.../see_all
"

REDSTORM_DIRS="
/var/log/tk02
/var/log/tk02/old
/bin/...
"

REDSTORM_KSYMS=""


# RSHA's rootkit
RSHA_FILES="
${ROOTDIR}bin/kr4p
${ROOTDIR}usr/bin/n3tstat
${ROOTDIR}usr/bin/chsh2
${ROOTDIR}usr/bin/slice2
${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/.1proc
${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib/.1addr
"

RSHA_DIRS="
${ROOTDIR}etc/rc.d/rsha
${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib
"

RSHA_KSYMS=""

# Shutdown
SHUTDOWN_DIRS="${ROOTDIR}usr/man/man5/..%%/.dir/ ${ROOTDIR}usr/man/man5/..%%/.dir/scannah ${ROOTDIR}etc/rc.d/rc0.d/..%%/.dir"
SHUTDOWN_FILES="${ROOTDIR}usr/man/man5/..%%/.dir/scannah/asus ${ROOTDIR}usr/man/man5/..%%/.dir/see ${ROOTDIR}usr/man/man5/..%%/.dir/nscd ${ROOTDIR}usr/man/man5/..%%/.dir/alpd ${ROOTDIR}etc/rc.d/rc.local%%"

# Scalper (FreeBSD.Scalper.Worm)
SCALPER_FILES="${ROOTDIR}tmp/.a ${ROOTDIR}tmp/.uua"

# SHV4
SHV4_FILES="
${ROOTDIR}etc/ld.so.hash
${ROOTDIR}lib/libext-2.so.7
${ROOTDIR}lib/lidps1.so
${ROOTDIR}usr/sbin/xntps
"

SHV4_DIRS="${ROOTDIR}lib/security/.config ${ROOTDIR}lib/security/.config/ssh"

# Sin Rootkit
SINROOTKIT_FILES="
${ROOTDIR}dev/.haos/haos1/.f/Denyed
${ROOTDIR}dev/ttyoa
${ROOTDIR}dev/ttyof
${ROOTDIR}dev/ttyop
${ROOTDIR}dev/ttyos
${ROOTDIR}usr/lib/.lib 
${ROOTDIR}usr/lib/sn/.X
${ROOTDIR}usr/lib/sn/.sys
${ROOTDIR}usr/lib/ld/.X
${ROOTDIR}usr/man/man1/...
${ROOTDIR}usr/man/man1/.../.m
${ROOTDIR}usr/man/man1/.../.w
"

SINROOTKIT_DIRS="${ROOTDIR}usr/lib/sn ${ROOTDIR}usr/lib/man1/... ${ROOTDIR}dev/.haos"

# Slapper
SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.uubugtraq ${ROOTDIR}tmp/.bugtraq.c ${ROOTDIR}tmp/httpd ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"

# Sneakin Rootkit
SNEAKIN_DIRS="${ROOTDIR}tmp/.X11-unix/.../rk"

# Suckit Rootkit
SUCKIT_FILES="
${ROOTDIR}sbin/initsk12
${ROOTDIR}sbin/initxrk
${ROOTDIR}usr/share/locale/sk/.sk12/sk
"

SUCKIT_DIRS="
${ROOTDIR}dev/sdhu0/tehdrakg
${ROOTDIR}etc/.MG
${ROOTDIR}usr/share/locale/sk/.sk12
"

# SunOS Rootkit
SUNOSROOTKIT_FILES="
${ROOTDIR}etc/ld.so.hash
${ROOTDIR}lib/libext-2.so.7
${ROOTDIR}usr/bin/ssh2d
${ROOTDIR}bin/xlogin
${ROOTDIR}usr/lib/crth.o
${ROOTDIR}usr/lib/crtz.o
${ROOTDIR}sbin/login
${ROOTDIR}lib/security/.config/sn
${ROOTDIR}lib/security/.config/lpsched
${ROOTDIR}dev/kmod
${ROOTDIR}dev/dos
"

# Superkit
SUPERKIT_FILES="${ROOTDIR}usr/man/.sman/sk"
SUPERKIT_DIRS=""
SUPERKIT_KSYMS=""

# Telnet Backdoor
TBD_FILES="${ROOTDIR}usr/lib/.tbd"

# TeLeKiT 
TELEKIT_FILES="
${ROOTDIR}usr/man/man3/.../TeLeKiT/bin/sniff
${ROOTDIR}usr/man/man3/.../TeLeKiT/bin/telnetd
${ROOTDIR}usr/man/man3/.../TeLeKiT/bin/teleulo
${ROOTDIR}usr/man/man3/.../cl
${ROOTDIR}dev/ptyr
${ROOTDIR}dev/ptyp
${ROOTDIR}dev/ptyq
${ROOTDIR}dev/hda06
${ROOTDIR}usr/info/libc1.so
"

TELEKIT_DIRS="${ROOTDIR}usr/man/man3/... ${ROOTDIR}usr/man/man3/.../lsniff ${ROOTDIR}usr/man/man3/.../TeLeKiT"
TELEKIT_KSYMS=""

# Torn (and misc)
TORN_FILES="
${ROOTDIR}dev/.lib/lib/lib/t0rns
${ROOTDIR}dev/.lib/lib/lib/du
${ROOTDIR}dev/.lib/lib/lib/ls
${ROOTDIR}dev/.lib/lib/lib/t0rnsb
${ROOTDIR}dev/.lib/lib/lib/ps
${ROOTDIR}dev/.lib/lib/lib/t0rnp
${ROOTDIR}dev/.lib/lib/lib/find
${ROOTDIR}dev/.lib/lib/lib/ifconfig
${ROOTDIR}dev/.lib/lib/lib/pg
${ROOTDIR}dev/.lib/lib/lib/ssh.tgz
${ROOTDIR}dev/.lib/lib/lib/top
${ROOTDIR}dev/.lib/lib/lib/sz
${ROOTDIR}dev/.lib/lib/lib/login
${ROOTDIR}dev/.lib/lib/lib/in.fingerd
${ROOTDIR}dev/.lib/lib/lib/1i0n.sh
${ROOTDIR}dev/.lib/lib/lib/pstree
${ROOTDIR}dev/.lib/lib/lib/in.telnetd
${ROOTDIR}dev/.lib/lib/lib/mjy
${ROOTDIR}dev/.lib/lib/lib/sush
${ROOTDIR}dev/.lib/lib/lib/tfn
${ROOTDIR}dev/.lib/lib/lib/name
${ROOTDIR}dev/.lib/lib/lib/getip.sh
${ROOTDIR}usr/info/.torn/sh*
${ROOTDIR}usr/src/.puta/                                                                                      
${ROOTDIR}usr/src/.puta/.1addr
${ROOTDIR}usr/src/.puta/.1file
${ROOTDIR}usr/src/.puta/.1proc
${ROOTDIR}usr/src/.puta/.1logz
${ROOTDIR}usr/info/.t0rn/                  
"

TORN_DIRS="
${ROOTDIR}dev/.lib/
${ROOTDIR}dev/.lib/lib/
${ROOTDIR}dev/.lib/lib/lib/
${ROOTDIR}dev/.lib/lib/lib/dev/
${ROOTDIR}dev/.lib/lib/scan/
${ROOTDIR}usr/src/.puta/
${ROOTDIR}usr/man/man1/man1/
${ROOTDIR}usr/man/man1/man1/lib/
${ROOTDIR}usr/man/man1/man1/lib/.lib/
${ROOTDIR}usr/man/man1/man1/lib/.lib/.backup/
"

TROJANIT_FILES="
${ROOTDIR}bin/.ls
${ROOTDIR}bin/.ps
${ROOTDIR}bin/.netstat
${ROOTDIR}usr/bin/.nop
${ROOTDIR}usr/bin/.who
"

TPACK_FILES=""
TPACK_DIRS=""

# Tuxtendo (Tuxkit)
TUXTENDO_FILES="
${ROOTDIR}dev/tux/.addr
${ROOTDIR}dev/tux/.cron
${ROOTDIR}dev/tux/.file
${ROOTDIR}dev/tux/.log
${ROOTDIR}dev/tux/.proc
${ROOTDIR}dev/tux/backup/crontab
${ROOTDIR}dev/tux/backup/df
${ROOTDIR}dev/tux/backup/dir
${ROOTDIR}dev/tux/backup/find
${ROOTDIR}dev/tux/backup/ifconfig
${ROOTDIR}dev/tux/backup/locate
${ROOTDIR}dev/tux/backup/netstat
${ROOTDIR}dev/tux/backup/ps
${ROOTDIR}dev/tux/backup/pstree
${ROOTDIR}dev/tux/backup/syslogd
${ROOTDIR}dev/tux/backup/tcpd
${ROOTDIR}dev/tux/backup/top
${ROOTDIR}dev/tux/backup/updatedb
${ROOTDIR}dev/tux/backup/vdir
"

TUXTENDO_DIRS="
${ROOTDIR}dev/tux
${ROOTDIR}dev/tux/ssh2
${ROOTDIR}dev/tux/backup
"

TUXTENDO_KSYMS=""

# URK (Universal Root Kit)
URK_FILES="
${ROOTDIR}usr/man/man1/xxxxxxbin/find
${ROOTDIR}usr/man/man1/xxxxxxbin/du
${ROOTDIR}usr/man/man1/xxxxxxbin/ps
${ROOTDIR}tmp/conf.inf
"

URK_DIRS="
${ROOTDIR}usr/man/man1/xxxxxxbin
"
# VcKit
VCKIT_FILES=""
VCKIT_DIRS="${ROOTDIR}usr/include/linux/modules/lib.so ${ROOTDIR}usr/include/linux/modules/lib.so/bin"

# Volc Rootkit
VOLC_FILES=""
VOLC_DIRS="
${ROOTDIR}var/spool/.recent
${ROOTDIR}var/spool/.recent/.files
${ROOTDIR}usr/lib/volc
${ROOTDIR}usr/lib/volc/backup
"

# X-Org SunOS Rootkit
XORGSUNOS_FILES="
${ROOTDIR}usr/lib/libX.a/bin/tmpfl
${ROOTDIR}usr/lib/libX.a/bin/rps
${ROOTDIR}usr/bin/srload
${ROOTDIR}usr/lib/libX.a/bin/sparcv7/rps
${ROOTDIR}usr/sbin/modcheck
"

XORGSUNOS_DIRS="
${ROOTDIR}usr/lib/libX.a
${ROOTDIR}usr/lib/libX.a/bin
${ROOTDIR}usr/lib/libX.a/bin/sparcv7
${ROOTDIR}usr/share/man...
"


# zaRwT.KiT
ZARWT_FILES="
${ROOTDIR}dev/rd/s/sendmeil
${ROOTDIR}dev/ttyf
${ROOTDIR}dev/ttyp
${ROOTDIR}dev/ttyn
${ROOTDIR}rk/tulz
"

ZARWT_DIRS="
${ROOTDIR}rk
${ROOTDIR}dev/rd/s
"

ZARWT_LOGS="
.zarwt.
sendmeil
:60922
cky.
"

# Miscellaneous login backdoors
LOGIN_BACKDOOR_FILES="${ROOTDIR}bin/.login ${ROOTDIR}sbin/.login"

# Misc Apache Backdoors
APACHEBDOORS_STRINGS="gotcha"

# Suspicious files in /dev
# v1rootkit does use some files here to hide processes, UIDs en GIDs.
# Files: /dev/ttyp, /dev/ttypr, /dev/ttypp, /dev/ttypq (Checked: FreeBSD and RedHat doesn't have this files by default)
# Files: /dev/ptyxx/.list /dev/ptyxx/.proc
# Files: ${ROOTDIR}tmp/tr/td:

SUSPICIOUS1_FILES="
.list:Unknown file:
.proc:Unknown file:
psybnc:IRC%%bouncer:
td:Unknown file:
ttyp:Unknown file:
ttypr:Unknown file:
ttypp:Unknown file:
ttypq:Unknown file:
"

# Suspicious directories
SUSPICIOUS1_DIRS="/usr/X11R6/bin/.,/copy/ /dev/rd"

# Evil strings
STRINGSCAN="
bin:test2:abc:Test
bin:init:/dev/proc/fuckit:Fuckit%%Rootkit
bin:init:FUCK:Possible%%Suckit%%Rootkit%%found
bin:init:backdoor:Possible%%backdoored%%init%%file%%(Suckit)
bin:login:vt200:Possible%%Linux%%Rootkit
bin:login:/usr/bin/xstat:Possible%%Linux%%Rootkit
bin:login:/bin/envpc:Unknown
bin:login:l4m3r0x:Unknown
bin:login:/usr/lib/.tbd:TBD%%Rootkit
bin:ls:/dev/ptyxx/.file:Dica%%(T0rn%%variant)
bin:ls:/dev/sgk:Unknown
bin:ls:/var/lock/subsys/...datafile...:Ohhara%%Rootkit
bin:ls:/usr/lib/.tbd:TBD%%Rootkit
bin:netstat:/dev/proc/fuckit:Fuckit%%Rootkit
bin:netstat:/lib/.sso:Dica%%(T0rn%%variant)
bin:netstat:/var/lock/subsys/...datafile...:Ohhara%%Rootkit
bin:netstat:/dev/caca:MRK
bin:netstat:/dev/ttyoa:Sin%%Rootkit
bin:netstat:syg:Possible%%trojaned%%netstat
bin:nscd:sshd_config:Possible%%backdoor%%shell%%installed%%(SSH)
bin:ps:/dev/pts/01:SunOS%%Rootkit
bin:ps:tw33dl3:SunOS%%Rootkit
bin:ps:psniff:SunOS%%Rootkit
bin:ps:/var/lock/subsys/...datafile...:Ohhara%%Rootkit%%or%%Ni0%%Rootkit
bin:rpc.nfsd:cant%%open%%log:Possible%%sniffer%%installed
bin:rpc.nfsd:sniff.pid:Possible%%sniffer%%installed
bin:rpc.nfsd:tcp.log:Possible%%sniffer%%installed
bin:sshd:/dev/ptyxx:OpenBSD%%Rootkit
bin:syslogd:promiscuous:Possible%%sniffer%%installed
bin:syslogd:/usr/lib/.tbd:TBD%%Rootkit
bin:tcpd:/dev/xdta:Dica%%(T0rn%%variant)
bin:top:/usr/lib/.tbd:TBD%%Rootkit
bin:xtty:/bin/sh:Possible%%backdoor%%shell%%installed
etc:passwd:r00t:Possible%%GasKit
etc:passwd:t00r:Possible%%GasKit
libs:libproc.so.2.0.7:/dev/proc/fuckit:Fuckit%%Rootkit
rc.d:boot:/usr/bin/initrd%%-t1%%-X53%%-p:Dreams%%Rootkit
rc.d:functions:/usr/bin/initrd%%-t1%%-X53%%-p:Dreams%%Rootkit
rc.inet1:/usr/bin/initrd%%-t1%%-X53%%-p:Dreams%%Rootkit
"

# bin: /bin, /usr/bin, /usr/local/bin, /usr/sbin, /usr/local/sbin
# etc: /etc
# rc.d: /etc/rc.d /etc/rc.d/init.d
# rc.sysinit: /etc/rc.d

# Slackware /etc/rc.d/sysvinit

RCSTRINGS="
sshdu:Possible%%trojaned%%SSH%%Daemon
sshd1:Possible%%trojaned%%SSH%%Daemon
linsniffer:Possible%%keyboard%%sniffer%%found
startadore:Possible%%Adore%%rootkit%%found
ava:Possible%%PID%%hider%%found
.lsd:Torn%%based%%part%%found
/usr/bin/hdparm%%-t1%%-X53%%-p:MRK%%part%%found
"

BASHPROFILESTRINGS="
/dev/proc/fucking/config:Possible%%Rootkit%%found
/dev/proc/toolz/scan:Possible%%Rootkit%%found
/script:Possible%%background%%logger%%found
"

# Files
FILESCAN="
file:${ROOTDIR}dev/sdr0:Possible%%MD5%%hash%%database
file:${ROOTDIR}tmp/.syshackfile:Trojaned%%syslog%%daemon
file:${ROOTDIR}tmp/.bash_history:Possible%%Lite5-r%%rootkit
file:${ROOTDIR}usr/info/.clib:Possible%%backdoor
file:${ROOTDIR}usr/sbin/tcp.log:Possible%%sniffer
file:${ROOTDIR}usr/bin/take/pid:Trojaned%%SSH%%daemon
dir:${ROOTDIR}usr/bin/take:Trojaned%%SSH%%daemon
dir:${ROOTDIR}usr/src/.lib:Unusual%%directory
dir:${ROOTDIR}usr/share/man/man1/.1c:Possible%%Eggdrop%%installed
dir:${ROOTDIR}lib/lblip.tk:Directory%%with%%backdoored%%SSH-configuration
dir:${ROOTDIR}usr/sbin/...:Unusual%%directory
"


# Evil strings for *BSD KLD (Dynamic Kernel Linker modules)
KLDSTATKEYWORDS="backd00r backdoor"

# New:
#KLDSTATKEYWORDS="
#backd00r:Unknown%%backdoor
#backdoor:Unknown%%backdoor
#r00tkit:Unknown%%backdoor
#rootkit:Unknown%%backdoor
#darkside:Darkside%%KLD
#hide_link_file:Darkside%%KLD
#"

LKMSCAN="
LuCe%%LKM:LuCe%%LKM-module
"

LKMSTRINGS="
pass.log|thc.org:THC%%Vlogger:Keylogger/sniffer
"

RCLOCAL_STRINGS="
/usr/bin/rpc.wall:Unknown
sshdd:Possible%%GasKit
hidef:Possible%%part%%of%%Knark%%found
"

# Integrity tests
STRINGS_INTEGRITY="${BOBKIT_FILES} ${BOBKIT_DIRS} ${CINIK_FILES} ${CINIK_DIRS} ${DICA_FILES} ${FREEBSD_RK_FILES}
${TBD_FILES} ${TORN_FILES} ${TORN_DIRS}"

SNIFFER_FILES="
${ROOTDIR}usr/lib/libice.log
"

APACHE_MOD_ROOTME="
${ROOTDIR}usr/local/apache/libexec/mod_rootme.so
${ROOTDIR}usr/lib/apache/1.3/mod_rootme.so
${ROOTDIR}usr/lib/apache2/modules/mod_rootme2.so
${ROOTDIR}usr/local/apache2/modules/mod_rootme2.so
"

HTTPDCONFS="
${ROOTDIR}usr/local/apache/conf/httpd.conf
${ROOTDIR}usr/local/etc/apache/httpd.conf
${ROOTDIR}etc/apache/httpd.conf
"


BAD_PROCESSES="
31337:Linsniffer
"


##################################################################################################
#
# Initialisation
#
##################################################################################################

    # Detect OS
    OPERATING_SYSTEM=`uname`

    # We don't know OS yet
    valid_os="0"

    # Clear screen for a clean start
    #clear
      
      
# Begin parameters
      
##################################################################################################
#
# check complete system
#
##################################################################################################

logtext "---------------------------- System checks ----------------------------"

if [ "${CHECK}" -eq 1 ]
  then
    displaytext ""; displaytext "";
    displaytext "${PROGRAM_NAME} ${PROGRAM_version} is running"
    displaytext ""
    displaytext -n "Determining OS... "

    if [ "${OPERATING_SYSTEM}" = "Darwin" ]
      then
        # No major/minor version support for Macintosh yet..
        valid_os="1"
	full_osname="Mac OS X"
    fi	

    if [ "${OPERATING_SYSTEM}" = "AIX" ]
      then
        valid_os="1"
	OPERATING_VERSIONTMP=`oslevel`
         
        case ${OPERATING_VERSIONTMP} in
          4.3.2.0)
		OPERATING_VERSION="4.3.2"
		;;
          4.3.3.0)
		OPERATING_VERSION="4.3.3"
		;;
	  5.1.0.0)
		OPERATING_VERSION="5.1"
		;;
	  5.2.0.0)
		OPERATING_VERSION="5.2"
		;;
	  5.3.0.0)
		OPERATING_VERSION="5.3"  # Planned release for 2004
		;;
	  5.4.0.0)
		OPERATING_VERSION="5.4"  # Planned release for 2006
		;;
	  *)
		OPERATING_VERSION="unknown"
		;;
	esac
	full_osname="IBM AIX ${OPERATING_VERSION}"
    fi
    
    # Sun
    if [ "${OPERATING_SYSTEM}" = "SunOS" ]
      then
        valid_os="1"
	full_osname="Sun Solaris"
	OPERATING_VERSIONTMP=`uname -r`
	OPERATING_ARCH=`uname -p`
	
	case ${OPERATING_VERSIONTMP} in
	  4.1.3)
	     OPERATING_VERSION="1.1"
	     ;;
	  5.6)
	     OPERATING_VERSION="2.6"    
	     ;;
	  5.8)
	     OPERATING_VERSION="8"
	     ;;
	  5.9)
	     OPERATING_VERSION="9"
	     ;;
	  5.10)
	     OPERATING_VERSION="10"
	     ;;
	  *)
	     OPERATING_VERSION="Unknown"
	     ;;
	esac
	full_osname="Sun Solaris ${OPERATING_VERSION} (${OPERATING_ARCH})"
	
	# Solaris has POSIX compatible binaries in /usr/xpg4/bin, but doesn't
	# use them by default..
	BINPREFIX="${ROOTDIR}usr/xpg4/bin/"
	
    fi
    
    if [ "${OPERATING_SYSTEM}" = "Linux" ]
      then
        # Ok, so this OS is one of the many Linux members :/
        valid_os="0"	
	
	KERNELVERSION=`uname -r | cut -d '.' -f1,2`
	logtext "Info: kernel is ${KERNELVERSION}"

	GRSEC=`uname -a | grep 'grsec'`
	if [ ! "${GRSEC}" = "" ]; then
	  GRSECINSTALLED=1
	  else
	  GRSECINSTALLED=0
	fi

	# First we check it's the one with the red cap
	if [ -e "/etc/redhat-release" ]
	  then
	    # Mandrake uses the redhat-release file as a link to mandrake-release...
	    if [ -e "/etc/mandrake-release" ]
	      then
	        if [ -e "/etc/pclinuxos-release" ]
		  then
		    # It's pclinuxos (it has 3 release files..)
		    full_osname=`cat /etc/pclinuxos-release`
		    valid_os="1"
		    logtext "Info: Found /etc/pclinuxos-release"
		  else
		    # No, it's not Red Hat, but Mandrake
		    full_osname=`cat /etc/mandrake-release`
		    valid_os="1"
		    logtext "Info: Found /etc/mandrake-release"
		fi
	    fi

	    # And Fedora too...
	    if [ -e "/etc/fedora-release" ]
	      then
		full_osname=`cat /etc/redhat-release`
		valid_os="1"
		logtext "Info: Found /etc/fedora-release"
		uname_model=`uname -m`
		case $uname_model in
		    i[0-9]86) architecture=i386; ;;
		    x86_64)   architecture=x86_64; ;;
		esac	  
		logtext "Architecture ${uname_model} (->${architecture})"
		full_osname="${full_osname} (${architecture})"
	    fi

	    # And Aurora (SPARC) too...
	    if [ -e "/etc/aurora-release" ]
	      then
		full_osname=`cat /etc/aurora-release`
		valid_os="1"
		logtext "Info: Found /etc/aurora-release"
		uname_model=`uname -m`
		logtext "Architecture ${uname_model}"
	    fi

	    # And Trustix too...	    
	    if [ -e "/etc/release" ]
	      then
	        TRUSTIX=`cat /etc/release | grep Trustix`
		if [ ! "${TRUSTIX}" = "" ]
		  then
		    full_osname=`cat /etc/release`
		    valid_os="1"
		    logtext "Info: Found /etc/release"
		fi
	    fi
	    
	    # Still found no valid OS
	    if [ "${valid_os}" -eq 0 ]
	      then
		# Yes, it's Red Hat Linux (or a clone without an extra release file).
		# The name and version is in there..
		full_osname=`cat /etc/redhat-release`
		valid_os="1"
		logtext "Info: Found /etc/redhat-release"
	    fi
	fi


	# Debian?
	if [ -e "/etc/debian_version" ]
	  then
	    version=`cat /etc/debian_version`

	    uname_model=`uname -m`
	    case $uname_model in
		i[0-9]86) architecture=i386; ;;
		sun4u|sparc64)    architecture=sparc64; ;;
		arm*)     architecture=arm; ;;
		ppc)      architecture=powerpc; ;;
	    esac

	    if [ "${version}" = "" ]; then
	        valid_os="0"
	      else
	        if [ "${architecture}" = "" ]; then
		    valid_os="0"
		  else
		    full_osname="Debian ${version} (${architecture})"
		    valid_os="1"
		fi
	    fi
	    
	    logtext "Info: Found /etc/debian_version"
	fi

	# PLD Linux?
	if [ -e "/etc/pld-release" ]
	  then
	    version=`cat /etc/pld-release`

	    uname_model=`uname -m`
	    case $uname_model in
		i[0-9]86) 	architecture=i386; ;;
		sun4u|sparc64)  architecture=sparc64; ;;
		arm*)     	architecture=arm; ;;
		ppc)      	architecture=powerpc; ;;
	    esac

	    if [ "${version}" = "" ]; then
	        valid_os="0"
	      else
	        if [ "${architecture}" = "" ]; then
		    valid_os="0"
		  else
		    full_osname="${version} (${architecture})"
		    valid_os="1"
		fi
	    fi
	    
	    logtext "Info: Found /etc/pld-release"
	fi


	# CPUBuilders Linux?
	if [ -e "/etc/cpub-release" ]
	  then
	    version=`cat /etc/cpub-release`	  
	    full_osname="${version}"
	    valid_os="1"
	    logtext "Info: Found /etc/cpub-release"
	fi

	# SuSE?
	if [ -e "/etc/SuSE-release" ]
	  then
	    # Grep for 'SuSE Linux' because this file contains multiple lines
	    version=`cat /etc/SuSE-release | grep "SuSE Linux"`	  
	    full_osname="${version}"
	    valid_os="1"
	    logtext "Info: Found /etc/SuSE-release"
	fi

	# SuSE (Linux Openexchange Server)
	if [ -e "/etc/SLOX-release" ]
	  then
	    # Grep for 'SuSE Linux' because this file contains multiple lines
	    version=`cat /etc/SLOX-release | grep "SuSE Linux"`
	    full_osname="${version}"
	    valid_os="1"
	    logtext "Info: Found /etc/SLOX-release"
	fi

	# Turbo Linux?
	if [ -e "/etc/turbolinux-release" ]
	  then
	    full_osname=`cat /etc/turbolinux-release`
	    valid_os="1"

	    debugdate >> ${DEBUGFILE}
	    echo "Info: Found /etc/turbolinux-release" >> ${DEBUGFILE}
	fi

	# Slackware?
	if [ -e "/etc/slackware-version" ]
	  then
	    full_osname=`cat /etc/slackware-version`
	    valid_os="1"

	    debugdate >> ${DEBUGFILE}
	    echo "Info: Found /etc/slackware-version" >> ${DEBUGFILE}
	fi

	# YellowDog?
	if [ -e "/etc/yellowdog-release" ]
	  then
	    full_osname=`cat /etc/yellowdog-release`
	    valid_os="1"

	    debugdate >> ${DEBUGFILE}
	    echo "Info: Found /etc/yellowdog-release" >> ${DEBUGFILE}
	fi

	# Gentoo?
	if [ -e "/etc/gentoo-release" ]
	  then
	    GENTOO=1
	    version=`cat /etc/gentoo-release | awk '{ print $5 }' | cut -d '.' -f1,2`
	    uname_model=`uname -m`
		case $uname_model in
		    i[0-9]86) architecture=i386; ;;
		    ppc)      architecture=powerpc; ;;
		esac	  
		logtext "Architecture ${uname_model} (->${architecture})"

	    full_osname="Gentoo Linux ${version} (${architecture})"
	    valid_os="1"

	    debugdate >> ${DEBUGFILE}
	    echo "Info: Found /etc/gentoo-release" >> ${DEBUGFILE}
	fi
    fi

    
    if [ "${OPERATING_SYSTEM}" = "FreeBSD" ]
      then
        valid_os="1"
	version=`sysctl -n kern.osrelease | cut -d "-" -f 1`
	architecture=`sysctl -n hw.machine_arch`
	SUBVERSION=`sysctl -n kern.osrelease | cut -d "-" -f 2 | tr -d ' '`
	full_osname="FreeBSD ${version} (${architecture})"	
	
	echo "Info: Found FreeBSD ${version}" >> ${DEBUGFILE}

	# Check FreeBSD version (release, stable, current)
        debugdate >> ${DEBUGFILE}
        if [ "${SUBVERSION}" = "RELEASE" ]
	  then
	    echo "Debug: You have a 'RELEASE' version of FreeBSD" >> ${DEBUGFILE}
	  else
	    echo "Debug: You have NOT a 'RELEASE' version of FreeBSD" >> ${DEBUGFILE}
	    MD5CHECK_SKIP=1
	fi

    fi

    if [ "${OPERATING_SYSTEM}" = "OpenBSD" ]
      then
        valid_os="1"
	version=`uname -r`
	# uname -m (i.e. i386)
	architecture=`uname -m`
	full_osname="OpenBSD ${version} (${architecture})"	
    fi

    if [ "${OPERATING_SYSTEM}" = "NetBSD" ]
      then
        valid_os="1"
    fi
    # Extract information from Operating System database
    os_string=`cat ${DB_PATH}/os.dat | grep "${full_osname}:"`
    os_id=`echo ${os_string} | cut -d ":" -f1`
    md5=`echo ${os_string} | cut -d ":" -f3`
    if [ -z "${md5}" ]; then
      md5="md5_not_known"
    fi
    binroot=`echo ${os_string} | cut -d ":" -f4`
    
    if [ "${os_id}" = "" ]
      then
        valid_os="0"
    fi

    if [ ${valid_os} -eq 0 ]
      then
	displaytext "Warning: this operating system is not fully supported!"
        debugdate >> ${DEBUGFILE}
	logtext "Warning: this operating system is not fully supported!"
	os_id="NA"
	MD5CHECK_SKIP=1
    fi

    logtext "Info: Full OS name = ${full_osname}"

    displaytext "Ready"


    logtext "Info: Using ${md5} to verify MD5 hashes"

	if [ -e `echo ${md5} | cut -d " " -f1 ` ]
	  then
	    logtext "Info: ${md5} found"
          else
            displaytext "Warning: Cannot find ${md5}"
	    displaytext "All MD5 checks will be skipped!"
	    MD5CHECK_SKIP=1
        fi

	if [ -d ${TMPDIR} ]
	  then
	    logtext "Info: ${TMPDIR}"
	  else
	    logtext "Info: ${TMPDIR} not present. Creating it." >> ${DEBUGFILE}
	    mkdir -p ${TMPDIR}
	fi

	if [ `${BINPREFIX}id -u` = "0" ]
	  then
	    logtext "Info: UID is zero (root)" >> ${DEBUGFILE}
	  else
	    displaytext "Fatal error: root rights needed to perform a full scan"
	    exit 1
	fi

	if [ "${PERLFOUND}" -eq 1 ]
	  then
	    logtext "Info: Perl version ${PERLVERSION} found"
	    
	    # Only use Perl MD5 module if we have it installed
	    # If we can find it then skip the md5(sum) utility
	    perlmd5installed=`${MYDIR}/lib/rkhunter/scripts/check_modules.pl | grep 'Digest::MD5 installed'`
	    perlsha1installed=`${MYDIR}/lib/rkhunter/scripts/check_modules.pl | grep 'Digest::SHA1 installed'`

	    if [ ! "${perlmd5installed}" = "" ]
	      then
	        md5="${MYDIR}/lib/rkhunter/scripts/filehashmd5.pl"
		logtext "Info: ${perlmd5installed}" >> ${DEBUGFILE}
		logtext "Info: Using Perl Digest::MD5 module instead of ${MD5BINARY}"
	    fi

	    if [ ! "${perlsha1installed}" = "" ]
	      then
	        #sha1="${MYDIR}/lib/rkhunter/scripts/filehashsha1.pl"
		logtext "Info: ${perlsha1installed}" >> ${DEBUGFILE}
		#logtext "Using Perl Digest::SHA1 module instead of ${SHA1BINARY}"
	    fi

	  else
	    logtext "Info: Perl not found"
	fi

    if [ ! -f "${ROOTDIR}proc/ksyms" ]; then
      logtext "Info: ksyms file check will be skipped (${ROOTDIR}proc/ksyms not available on this system)"
    fi
    
    

    logtext "---------------------------- File checks -----------------------------"


NEEDEDFILES="
${DB_PATH}/md5blacklist.dat
${DB_PATH}/mirrors.dat
${DB_PATH}/programs_bad.dat
${DB_PATH}/programs_good.dat
"

    for I in ${NEEDEDFILES}; do
      logtext -n "Checking ${I}... "
      if [ -f "${I}" ]
        then
          logtext --nodate "OK"
        else
	  logtext --nodate "Error. Doesn't exists!"
	  displaytext "Fatal error: file ${I} doesn't exists. Please check your paths and/or parameters."
	  exit 1
      fi
    done
    
   



 
    displaytext ""; displaytext ""
    displaytext "${YELLOW}Checking binaries${NORMAL}"
    displaytext "${test}* Selftests${NORMAL}"    

    logtext "------------------------------ Selftests ------------------------------"

    # Self check

	SIZE=23
	displaytext -n "     Strings (command)"
	jump=`expr ${defaultcolumn} - ${SIZE}`
	STRINGSFAILED=0

	if [ "${STRINGSFOUND}" -eq 1 ]
	  then
    	    for I in ${STRINGS_INTEGRITY}; do
	      echo "${I}" > ${TMPDIR}/stringstest.dat
	      logtext -n "Strings selftest: scanning for string ${I}... "
	      STRINGFOUND=`strings ${TMPDIR}/stringstest.dat | grep "${I}" | tr -d ' '`
	      if [ "${STRINGFOUND}" = "" ]
		then
	          STRINGSFAILED=1
	          FAILEDSTRINGS="${FAILEDSTRINGS} ${I}"
		  logtext --nodate "WARNING!"
		else
		  logtext --nodate "OK"
	      fi
	    done
	
	    if [ "${STRINGSFAILED}" -eq 1 ]
	      then
		  insertlayout
		  displaytext $E "   ${file}${LAYOUT}[ ${BAD}BAD${NORMAL} ]"
		  displaytext ""
		  displaytext "-----------------------------------------------------------------------------------"
		  displaytext "Expected (but not found) strings:"
		  displaytext "${FAILEDSTRINGS}"
		  displaytext "-----------------------------------------------------------------------------------"
	    else
		  jump=`expr ${defaultcolumn} - ${SIZE}`
		  insertlayout
		  displaytext $E "   ${file}${LAYOUT}[ ${OK}OK${NORMAL} ]"
	    fi
	    displaytext "${NORMAL}"
	  else
	    insertlayout
	    displaytext $E "   ${file}${LAYOUT}[ ${WHITE}Skipped!${NORMAL} ]"
	fi

	# Clean up temporary file
	if [ -f ${TMPDIR}/stringstest.dat ]; then
	  rm -f ${TMPDIR}/stringstest.dat
	fi
	
    displaytext ""



    logtext "---------------------------- MD5 hash tests ---------------------------"


    # Binary check
    
    displaytext "${test}* System tools${NORMAL}"    

    if [ $MD5CHECK_SKIP -eq 0 ]
      then    
	logtext "Starting MD5 checksum test (${md5})"
	
	PRELINKING=0
	if [ -e ${ROOTDIR}etc/prelink.cache ]
	  then
	    PRELINKING=1
	    logtext "Found cache file of prelinked files"
	    logtext "Using prelink binary: ${PRELINKBINARY}"
	    displaytext "Info: prelinked files found"
	    
	fi

	# Check if we have any 'known good' checksums for this operating system
	# If not, we perform a 'known bad' check.
	DBMD5COUNT=`cat ${DB_PATH}/defaulthashes.dat | grep "${os_id}:/"`
	if [ "${DBMD5COUNT}" = "" -o ${PERFORMKNOWNBAD} -eq 1 ]
	  then
	  
	    displaytext "  ${WHITE}Performing 'known bad' check...${NORMAL}"

	    # Files to check	  
	    CHECKFILES="${ROOTDIR}bin/cat ${ROOTDIR}bin/chmod ${ROOTDIR}bin/chown ${ROOTDIR}bin/csh ${ROOTDIR}bin/date ${ROOTDIR}bin/df ${ROOTDIR}bin/dmesg ${ROOTDIR}bin/echo ${ROOTDIR}bin/ed ${ROOTDIR}bin/egrep ${ROOTDIR}bin/env ${ROOTDIR}bin/fgrep ${ROOTDIR}bin/grep ${ROOTDIR}bin/id ${ROOTDIR}bin/kill ${ROOTDIR}bin/login ${ROOTDIR}bin/ls ${ROOTDIR}bin/md5 ${ROOTDIR}bin/more ${ROOTDIR}bin/mount ${ROOTDIR}bin/netstat ${ROOTDIR}bin/ps ${ROOTDIR}bin/sh ${ROOTDIR}bin/sha1 ${ROOTDIR}bin/sort ${ROOTDIR}bin/su ${ROOTDIR}sbin/checkproc ${ROOTDIR}sbin/chkconfig ${ROOTDIR}sbin/depmod ${ROOTDIR}sbin/dmesg ${ROOTDIR}sbin/ifconfig ${ROOTDIR}sbin/ifdown ${ROOTDIR}sbin/ifstatus ${ROOTDIR}sbin/ifup ${ROOTDIR}sbin/init ${ROOTDIR}sbin/insmod ${ROOTDIR}sbin/ip ${ROOTDIR}sbin/kldload ${ROOTDIR}sbin/kldstat ${ROOTDIR}sbin/kldunload ${ROOTDIR}sbin/ksyms ${ROOTDIR}sbin/lsmod ${ROOTDIR}sbin/md5 ${ROOTDIR}sbin/modinfo ${ROOTDIR}sbin/modload ${ROOTDIR}sbin/modprobe ${ROOTDIR}sbin/modunload ${ROOTDIR}sbin/nologin ${ROOTDIR}sbin/rmmod ${ROOTDIR}sbin/runlevel ${ROOTDIR}sbin/sulogin ${ROOTDIR}sbin/sysctl ${ROOTDIR}sbin/syslogd ${ROOTDIR}usr/bin/basename ${ROOTDIR}usr/bin/chattr ${ROOTDIR}usr/bin/du ${ROOTDIR}usr/bin/egrep ${ROOTDIR}usr/bin/fgrep ${ROOTDIR}usr/bin/file ${ROOTDIR}usr/bin/find ${ROOTDIR}usr/bin/groups ${ROOTDIR}usr/bin/head ${ROOTDIR}usr/bin/kill ${ROOTDIR}usr/bin/killall ${ROOTDIR}usr/bin/last ${ROOTDIR}usr/bin/lastlog ${ROOTDIR}usr/bin/less ${ROOTDIR}usr/bin/locate ${ROOTDIR}usr/bin/logger ${ROOTDIR}usr/bin/login ${ROOTDIR}usr/bin/lsattr ${ROOTDIR}usr/bin/md5sum ${ROOTDIR}usr/bin/modstat ${ROOTDIR}usr/bin/more ${ROOTDIR}usr/bin/netstat ${ROOTDIR}usr/bin/newsyslog ${ROOTDIR}usr/bin/passwd ${ROOTDIR}usr/bin/pstree ${ROOTDIR}usr/bin/sha1sum ${ROOTDIR}usr/bin/size ${ROOTDIR}usr/bin/slocate ${ROOTDIR}usr/bin/sockstat ${ROOTDIR}usr/bin/sort ${ROOTDIR}usr/bin/stat ${ROOTDIR}usr/bin/strace ${ROOTDIR}usr/bin/strings ${ROOTDIR}usr/bin/su ${ROOTDIR}usr/bin/systat ${ROOTDIR}usr/bin/test ${ROOTDIR}usr/bin/top ${ROOTDIR}usr/bin/touch ${ROOTDIR}usr/bin/uname ${ROOTDIR}usr/bin/users ${ROOTDIR}usr/bin/vmstat ${ROOTDIR}usr/bin/w ${ROOTDIR}usr/bin/watch ${ROOTDIR}usr/bin/wc ${ROOTDIR}usr/bin/wget ${ROOTDIR}usr/bin/whatis ${ROOTDIR}usr/bin/whereis ${ROOTDIR}usr/bin/which ${ROOTDIR}usr/bin/who ${ROOTDIR}usr/bin/whoami ${ROOTDIR}usr/sbin/adduser ${ROOTDIR}usr/sbin/amd ${ROOTDIR}usr/sbin/chroot ${ROOTDIR}usr/sbin/cron ${ROOTDIR}usr/sbin/inetd ${ROOTDIR}usr/sbin/kudzu ${ROOTDIR}usr/sbin/syslogd ${ROOTDIR}usr/sbin/tcpd ${ROOTDIR}usr/sbin/useradd ${ROOTDIR}usr/sbin/usermod ${ROOTDIR}usr/sbin/vipw ${ROOTDIR}usr/sbin/xinetd"

	    for I in ${CHECKFILES}; do
	      if [ -f ${I} ]
	        then
	          displaytext -n "   ${I}"
		  SIZE=`echo "${I}" | wc -c | tr -d ' '`	  
	          ISBAD=""
	          MD5SUM=`${md5} ${I}`

	          ISBAD=`cat ${DB_PATH}/md5blacklist.dat | grep ${MD5SUM}`

	          if [ "${ISBAD}" = "" ]
	  	    then
		      jump=`expr ${defaultcolumn} - ${SIZE}`
		      insertlayout
		      displaytext -e "${LAYOUT}[ ${OK}OK${NORMAL} ]"
		    else
		      jump=`expr ${defaultcolumn} - ${SIZE}`
		      insertlayout
		      displaytext -e "${LAYOUT}[ ${BAD}BAD${NORMAL} ]"
		      logtext "Possible backdoored or harmfull file found ${I}" >> ${DEBUGFILE}
		      WARNING=1
	          fi

#	        else
#		  echo "Skipped"
	      fi
	    done

	fi

	displaytext "  ${WHITE}Performing 'known good' check...${NORMAL}"	    

	for i in `cat ${DB_PATH}/defaulthashes.dat | grep "${os_id}:/"`
	do
	  file=`echo ${i} | cut -d : -f 2`		
	  SIZE=`echo "${file}" | wc -c | tr -d ' '`	  
	  MD5_COUNT=`expr ${MD5_COUNT} + 1`
	  FOUND=0
	  if [ ! "${file}" = "${lastfile}" ]
	    then
	      if [ -e "${file}"  ]
	        then
		  FILEHASHES=`cat ${DB_PATH}/defaulthashes.dat | grep "${os_id}:/" | grep ":${file}:" | cut -d : -f 3`
		  MYPACKAGES=`cat ${DB_PATH}/defaulthashes.dat | grep "${os_id}:/" | grep ":${file}:" | cut -d : -f 6`
		  #FILEHASHES=`echo ${i} | cut -d : -f 3`
		  for J in ${FILEHASHES}; do
		  if [ ${PRELINKING} -eq 1 ]
		    then
		      PRELINKVERIFY=`${PRELINKBINARY} --verify ${file} > ${TMPDIR}/prelink.tst`
		      myhash=`${md5} ${TMPDIR}/prelink.tst | cut -d " " -f 1`
		    else
	              myhash=`${md5} ${file} | cut -d " " -f 1`
		  fi
		  # Fix for OpenBSD's version of MD5 (doesn't support -q option)
		  if [ "${OPERATING_SYSTEM}" = "OpenBSD" -a "${md5}" = "/bin/md5" ]; then
		      myhash=`echo ${myhash} | cut -d ' ' -f4 | tr -d ' '`
		  fi      

	          hash="${J}"

	    	  if [ "${hash}" = "${myhash}" ]
		    then
		        FOUND=1
		        debugdate >> ${DEBUGFILE}
		        echo "${file} hash valid, found in database"  >> ${DEBUGFILE}
		       else
		        debugdate >> ${DEBUGFILE}
		        echo "${file} Hash NOT valid (My MD5: ${myhash}, expected: ${hash})"  >> ${DEBUGFILE}
		  fi
		  done
		  
		  
		if [ ${FOUND} -eq 0 ]
		  then
		    # Compare against whitelist
		    logtext "Using whitelists to compare MD5 hash (searching for ${myhash})"
		    for WHITELISTSTRING in `cat ${CONFIGFILE} | egrep '^MD5WHITELIST=' | sed 's/MD5WHITELIST=//g'`; do
		      WHITELISTFILE=`echo ${WHITELISTSTRING} | cut -d ':' -f1`
		      WHITELISTHASH=`echo ${WHITELISTSTRING} | cut -d ':' -f2`
		      logtext "Checking ${WHITELISTHASH} (${WHITELISTFILE})"
		      if [ "${WHITELISTFILE}" = "${file}" -a "${WHITELISTHASH}" = "${myhash}" ]; then
		        FOUND=1
		        logtext "Whitelisted hash found"
		      fi
		      
		    done
		    if [ ${FOUND} -eq 0 ]; then
		      logtext "No whitelisted MD5 hash found for ${file}"
		      logtext "MD5 hash for my file (${file}) is ${myhash}, but is not in database"
		    fi
		    
		    logtext "End of whitelist compare"
		fi
		
	        displaytext -n "   ${file}"
	        if [ ${FOUND} -eq 1 ]
	  	  then
		    jump=`expr ${defaultcolumn} - ${SIZE}`
		    insertlayout
		    displaytext -e "${LAYOUT}[ ${OK}OK${NORMAL} ]"
		  else
		    MD5_DIFFERENT=`expr ${MD5_DIFFERENT} + 1`
		    jump=`expr ${defaultcolumn} - ${SIZE}`
		    insertlayout
		    displaytext -e "${LAYOUT}[ ${BAD}BAD${NORMAL} ]"
		    logtext "Checking ${file} against hashes in database (${FILEHASHES}) failed" >> ${DEBUGFILE}
		    if [ -f /bin/rpm ]
		      then
		        RPMPACKAGE=`rpm -qf ${file}`
			logtext "RPM info: your package '${RPMPACKAGE}'"
			logtext "RPM info: packages in database: ${MYPACKAGES}"
		    fi
		    WARNING=1
	        fi
	      else
	        jump=`expr ${defaultcolumn} - ${SIZE}`
	        displaytext -n "   ${file}"
		insertlayout
	        displaytext $E "${LAYOUT}[ ${YELLOW}NA${NORMAL} ]"
	    fi
	  fi
	  lastfile="${file}"
 
	done

        keypresspause

      else
        displaytext "     ${WHITE}Skipped!${NORMAL}"
    fi	




#    displaytext "${test}* Searching for system files${NORMAL}"    
    
#    SCANFILELIST="${MYDIR}/lib/rkhunter/tmp/files.lst"
#    if [ ${QUICKSCAN} -eq 0 ]
#      then
#	find / -name *.o -or -name *.ko > ${SCANFILELIST}
#      else
#        locate *.o *.ko | head > ${SCANFILELIST}
#    fi
#    FILESCOUNT=`cat ${SCANFILELIST} | wc -l | tr -s ' ' | tr -d ' '`
#    displaytext "Datbase contains ${FILESCOUNT} files to investigate."
    



##################################################################################################
#
# Rootkits
#
##################################################################################################


    displaytext ""; displaytext ""
    displaytext "${YELLOW}Check rootkits${NORMAL}"
    displaytext "${test}* Default files and directories${NORMAL}"

    logtext "------------------------------ Rootkits ------------------------------"

    # 55808 Trojan - Variant A

	SCAN_ROOTKIT="55808 Trojan - Variant A"
	SCAN_FILES=${W55808A_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit

    # AjaKit

	SCAN_ROOTKIT="AjaKit"
	SCAN_FILES=${AJAKIT_FILES}
	SCAN_DIRS=${AJAKIT_DIRS}
	SCAN_KSYMS=${AJAKIT_KSYMS}
	scanrootkit

    # aPa Kit

	SCAN_ROOTKIT="aPa Kit"
	SCAN_FILES=${APAKIT_FILES}
	SCAN_DIRS=${APAKIT_DIRS}
	SCAN_KSYMS=${APAKIT_KSYMS}
	scanrootkit

    # Apache worm

	SCAN_ROOTKIT="Apache Worm"
	SCAN_FILES=${APACHEWORM_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit

    # Ambient (ark) Rootkit

	SCAN_ROOTKIT="Ambient (ark) Rootkit"
	SCAN_FILES=${ARK_FILES}
	SCAN_DIRS=${ARK_DIRS}
	SCAN_KSYMS=""
	scanrootkit

    # Balaur Rootkit

	SCAN_ROOTKIT="Balaur Rootkit"
	SCAN_FILES=${BALAUR_FILES}
	SCAN_DIRS=${BALAUR_DIRS}
	SCAN_KSYMS=${BALAUR_KSYMS}
	scanrootkit

    # BeastKit

	SCAN_ROOTKIT="BeastKit"
	SCAN_FILES=${BEASTKIT_FILES}
	SCAN_DIRS=${BEASTKIT_DIRS}
	SCAN_KSYMS=""
	scanrootkit

    # BOBKit

	SCAN_ROOTKIT="BOBKit"
	SCAN_FILES=${BOBKIT_FILES}
	SCAN_DIRS=${BOBKIT_DIRS}
	SCAN_KSYMS=""
	scanrootkit

    # CiNIK Worm (Slapper.B variant)
	SCAN_ROOTKIT="CiNIK Worm (Slapper.B variant)"
	SCAN_FILES=${CINIK_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit

    # Danny-Boy's Abuse Kit

	SCAN_ROOTKIT="Danny-Boy's Abuse Kit"
	SCAN_FILES=${DANNYBOYS_FILES}
	SCAN_DIRS=${DANNYBOYS_DIRS}
	SCAN_KSYMS=${DANNYBOYS_KSYMS}
	scanrootkit

    # Devil RootKit

	SCAN_ROOTKIT="Devil RootKit"
	SCAN_FILES=${DEVIL_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit

    # Dica

	SCAN_ROOTKIT="Dica"
	SCAN_FILES=${DICA_FILES}
	SCAN_DIRS=${DICA_DIRS}
	SCAN_KSYMS=${DICA_KSYMS}
	scanrootkit

    # Dreams RootKit

	SCAN_ROOTKIT="Dreams Rootkit"
	SCAN_FILES=${DREAMS_FILES}
	SCAN_DIRS=${DREAMS_DIRS}
	SCAN_KSYMS=${DREAMS_KSYMS}
	scanrootkit

    # Duarawkz

	SCAN_ROOTKIT="Duarawkz"
	SCAN_FILES=${DUARAWKZ_FILES}
	SCAN_DIRS=${DUARAWKZ_DIRS}
	SCAN_KSYMS=${DUARAWKZ_KSYMS}
	scanrootkit

    # Flea Linux rootkit

	SCAN_ROOTKIT="Flea Linux Rootkit"
	SCAN_FILES=${FLEA_FILES}
	SCAN_DIRS=${FLEA_DIRS}
	SCAN_KSYMS=${FLEA_KSYMS}
	scanrootkit

    # FreeBSD Rootkit

	SCAN_ROOTKIT="FreeBSD Rootkit"
	SCAN_FILES=${FREEBSD_RK_FILES}
	SCAN_DIRS=${FREEBSD_RK_DIRS}
	SCAN_KSYMS=""
	scanrootkit

    # Fuck`it Rootkit

	SCAN_ROOTKIT="Fuck\`it Rootkit"
	SCAN_FILES=${FUCKIT_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit

    # GasKit

	SCAN_ROOTKIT="GasKit"
	SCAN_FILES=${GASKIT_FILES}
	SCAN_DIRS=${GASKIT_DIRS}
	SCAN_KSYMS=""
	scanrootkit

    # Heroin
	SCAN_ROOTKIT="Heroin LKM"
	SCAN_FILES=${HEROIN_FILES}
	SCAN_DIRS=${HEROIN_DIRS}
	SCAN_KSYMS=${HEROIN_KSYMS}
	scanrootkit

    # HjC Kit
	SCAN_ROOTKIT="HjC Kit"
	SCAN_FILES=${HJCKIT_FILES}
	SCAN_DIRS=${HJCKIT_DIRS}
	SCAN_KSYMS=${HJCKIT_KSYMS}
	scanrootkit

    # ignoKit

	SCAN_ROOTKIT="ignoKit"
	SCAN_FILES=${IGNOKIT_FILES}
	SCAN_DIRS=${IGNOKIT_DIRS}
	SCAN_KSYMS=${IGNOKIT_KSYMS}
	scanrootkit

    # ImperalsS-FBRK

	SCAN_ROOTKIT="ImperalsS-FBRK"
	SCAN_FILES=""
	SCAN_DIRS=${IMPFRB_DIRS}
	SCAN_KSYMS=""
	scanrootkit

    # Irix Rootkit
    
	SCAN_ROOTKIT="Irix Rootkit"
	SCAN_FILES=${IRIXRK_FILES}
	SCAN_DIRS=${IRIXRK_DIRS}
	SCAN_KSYMS=${IRIXRK_KSYMS}
	scanrootkit
    
    # Kitko

	SCAN_ROOTKIT="Kitko"
	SCAN_FILES=${KITKO_FILES}
	SCAN_DIRS=${KITKO_DIRS}
	SCAN_KSYMS=${KITKO_KSYMS}
	scanrootkit

    # Knark

	SCAN_ROOTKIT="Knark"
	SCAN_FILES=${KNARK_FILES}
	SCAN_DIRS=${KNARK_DIRS}
	SCAN_KSYMS=${KNARK_KSYMS}
	scanrootkit

    # Li0n Worm

	SCAN_ROOTKIT="Li0n Worm"
	SCAN_FILES=${LION_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit

    # Lockit / LJK2

	SCAN_ROOTKIT="Lockit / LJK2"
	SCAN_FILES=${LOCKIT_FILES}
	SCAN_DIRS=${LOCKIT_DIRS}
	SCAN_KSYMS=${LOCKIT_KSYMS}
	scanrootkit
    
    # MRK (MiCrobul RootKit?)

	SCAN_ROOTKIT="MRK"
	SCAN_FILES=${MRK_FILES}
	SCAN_DIRS=${MRK_DIRS}
	SCAN_KSYMS=""
	scanrootkit

    # Ni0 Rootkit

	SCAN_ROOTKIT="Ni0 Rootkit"
	SCAN_FILES=${NIO_FILES}
	SCAN_DIRS=${NIO_DIRS}
	SCAN_KSYMS=${NIO_KSYMS}
	scanrootkit

    # RootKit for SunOS / NSDAP

	SCAN_ROOTKIT="RootKit for SunOS / NSDAP"
	SCAN_FILES=${NSDAP_FILES}
	SCAN_DIRS=${NSDAP_DIRS}
	SCAN_KSYMS=${NSDAP_KSYMS}
	scanrootkit

    # Optic Kit Worm

	SCAN_ROOTKIT="Optic Kit (Tux)"
	SCAN_FILES=""
	SCAN_DIRS=${OPTICKIT_DIRS}
	SCAN_KSYMS=""
	scanrootkit

    # Oz Rootkit

	SCAN_ROOTKIT="Oz Rootkit"
	SCAN_FILES=${OZ_FILES}
	SCAN_DIRS=${OZ_DIRS}
	SCAN_KSYMS=""
	scanrootkit

    # Portacelo

	SCAN_ROOTKIT="Portacelo"
	SCAN_FILES=${PORTACELO_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit

    # R3dstorm Toolkit

	SCAN_ROOTKIT="R3dstorm Toolkit"
	SCAN_FILES=${REDSTORM_FILES}
	SCAN_DIRS=${REDSTORM_DIRS}
	SCAN_KSYMS=${REDSTORM_KSYMS}
	scanrootkit

    # RSHA's rootkit

	SCAN_ROOTKIT="RSHA's rootkit"
	SCAN_FILES=${RSHA_FILES}
	SCAN_DIRS=${RSHA_DIRS}
	SCAN_KSYMS=${RSHA_KSYMS}
	scanrootkit

    # Sebek LKM (Honeypot)

	STATUS=0
	SIZE=10

	if [ ${DEBUG} -eq 1 ]; then
	   logtext "Debug: Sebek LKM"
	fi
	displaytext -n "   Sebek LKM"

	# Search for signs of Sebek in ksyms file
	if [ -f /proc/ksyms ]; then
	  if `${EGREP} -i 'adore|sebek' < /proc/ksyms >/dev/null 2>&1`; then
	    STATUS=1
	  fi
        fi

	if [ ${STATUS} -eq 0 ]
	  then
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
	  else
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
	    displaytext "${FOUNDTRACES}"
	fi

    # Scalper Worm

	SCAN_ROOTKIT="Scalper Worm"
	SCAN_FILES=${SCALPER_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit

    # Shutdown

	SCAN_ROOTKIT="Shutdown"
	SCAN_FILES=${SHUTDOWN_FILES}
	SCAN_DIRS=${SHUTDOWN_DIRS}
	SCAN_KSYMS=""
	scanrootkit

    # SHV4 Rootkit

	SCAN_ROOTKIT="SHV4"
	SCAN_FILES=${SHV4_FILES}
	SCAN_DIRS=${SHV4_DIRS}
	SCAN_KSYMS=""
	scanrootkit

    # Sin Rootkit

	SCAN_ROOTKIT="Sin Rootkit"
	SCAN_FILES=${SINROOTKIT_FILES}
	SCAN_DIRS=${SINROOTKIT_DIRS}
	SCAN_KSYMS=""
	scanrootkit

    # Slapper

	SCAN_ROOTKIT="Slapper"
	SCAN_FILES=${SLAPPER_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit

    # Sneakin Rootkit

	SCAN_ROOTKIT="Sneakin Rootkit"
	SCAN_FILES=""
	SCAN_DIRS=${SNEAKIN_DIRS}
	SCAN_KSYMS=""
	scanrootkit

    # Suckit Rootkit

	SCAN_ROOTKIT="Suckit Rootkit"
	SCAN_FILES=${SUCKIT_FILES}
	SCAN_DIRS=${SUCKIT_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	scanrootkit_suckit_extra_checks

    # SunOS Rootkit

	SCAN_ROOTKIT="SunOS Rootkit"
	SCAN_FILES=${SUNOSROOTKIT_FILES}
	SCAN_DIRS=${SUNOSROOTKIT_DIRS}
	SCAN_KSYMS=""
	scanrootkit

    # Superkit

	SCAN_ROOTKIT="Superkit"
	SCAN_FILES=${SUPERKIT_FILES}
	SCAN_DIRS=${SUPERKIT_DIRS}
	SCAN_KSYMS=${SUPERKIT_KSYMS}
	scanrootkit

    # TBD (Telnet BackDoor)

	SCAN_ROOTKIT="TBD (Telnet BackDoor)"
	SCAN_FILES=${TBD_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit

    # TeLeKiT

	SCAN_ROOTKIT="TeLeKiT"
	SCAN_FILES=${TELEKIT_FILES}
	SCAN_DIRS=${TELEKIT_DIRS}
	SCAN_KSYMS=${TELEKIT_KSYMS}
	scanrootkit


    # T0rn Rootkit

	SCAN_ROOTKIT="T0rn Rootkit"
	SCAN_FILES=${TORN_FILES}
	SCAN_DIRS=${TORN_DIRS}
	SCAN_KSYMS=""
	scanrootkit

    # Trojanit Kit

	SCAN_ROOTKIT="Trojanit Kit"
	SCAN_FILES=${TROJANIT_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit

    # Tuxtendo

	SCAN_ROOTKIT="Tuxtendo"
	SCAN_FILES=${TUXTENDO_FILES}
	SCAN_DIRS=${TUXTENDO_DIRS}
	SCAN_KSYMS=${TUXTENDO_KSYMS}
	scanrootkit

    # URK (Universal Root Kit)

	SCAN_ROOTKIT="URK"
	SCAN_FILES=${URK_FILES}
	SCAN_DIRS=${URK_DIRS}
	SCAN_KSYMS=${URK_KSYMS}
	scanrootkit

    # VcKit

	SCAN_ROOTKIT="VcKit"
	SCAN_FILES=${VCKIT_FILES}
	SCAN_DIRS=${VCKIT_DIRS}
	SCAN_KSYMS=${VCKIT_KSYMS}
	scanrootkit

    # Volc Rootkit
    
	SCAN_ROOTKIT="Volc Rootkit"
	SCAN_FILES=${VOLC_FILES}
	SCAN_DIRS=${VOLC_DIRS}
	SCAN_KSYMS=""
	scanrootkit

    # X-Org SunOS Rootkit

	SCAN_ROOTKIT="X-Org SunOS Rootkit"
	SCAN_FILES=${XORGSUNOS_FILES}
	SCAN_DIRS=${XORGSUNOS_DIRS}
	SCAN_KSYMS=""
	scanrootkit

    # zaRwT.KiT
    
	SCAN_ROOTKIT="zaRwT.KiT Rootkit"
	SCAN_FILES=${ZARWT_FILES}
	SCAN_DIRS=${ZARWT_DIRS}
	SCAN_KSYMS=""
	scanrootkit



##################################################################################################
#
# Malware
#
##################################################################################################

    displaytext ""
    displaytext "${test}* Suspicious files and malware${NORMAL}"

    logtext "------------------------------ Malware ------------------------------"

    logtext "Start scan for common used known (and unknown) rootkit files..."

    SIZE=35
    displaytext -n "   Scanning for known rootkit strings"
    logtext "[Start string tests]"

    if [ ${STRINGSFOUND} -eq 1 ]; then
      FOUND=0    
        FILEBINPATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/bin"
	for I in ${STRINGSCAN}; do
	  TYPE=`echo $I | cut -d ':' -f1`
	  FILE=`echo $I | cut -d ':' -f2`
	  FILESTRING=`echo $I | cut -d ':' -f3`
	  INFO=`echo $I | cut -d ':' -f4`
	  FOUNDFILE=0
	  FILE=`echo ${FILE} | sed 's/%%/ /g'`
	  FILESTRING=`echo ${FILESTRING} | sed 's/%%/ /g'`
	  INFO=`echo ${INFO} | sed 's/%%/ /g'`
	  case ${TYPE} in
	    bin)
	      for I in ${FILEBINPATHS}; do 
	        FILENAME="${I}/${FILE}"
	        if [ -f $FILENAME ]; then
		  FOUNDSTRING=`${STRINGSBINARY} $FILENAME | grep "${FILESTRING}"`
		  if [ "${FOUNDSTRING}" = "" ]; then
		    logtext "${FILENAME} clean (string: $FILESTRING)"
		    else
		    logtext "Warning: ${FILENAME} NOT clean (string: $FILESTRING)"
		    FOUND=1
		  fi
		fi  
	      done
	      ;;
	  esac

	done
	if [ ${FOUND} -eq 1 ]; then
	  jump=`expr ${defaultcolumn} - ${SIZE}`
	  insertlayout
	  displaytext $E "${LAYOUT}[ ${BAD}BAD${NORMAL} ]"	  
	  logtext "Warning: Found unexpected strings in some files!"
	  else
	  jump=`expr ${defaultcolumn} - ${SIZE}`
	  insertlayout
	  displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"	  
	  logtext "All files are OK"
	fi
      else
	jump=`expr ${defaultcolumn} - ${SIZE}`
        insertlayout
        displaytext $E "${LAYOUT}[ ${YELLOW}Skipped${NORMAL} ]"
	logtext "Skipped stringtest (rootkit strings), due to missing `strings`"
    fi

    logtext "[End string tests]"

    SIZE=33
    displaytext -n "   Scanning for known rootkit files"

	for I in ${FILESCAN}; do
	  TYPE=`echo $I | cut -d ':' -f1`
	  FILE=`echo $I | cut -d ':' -f2`
	  INFO=`echo $I | cut -d ':' -f3`
	  FOUNDFILE=0
	  FILE=`echo ${FILE} | sed 's/%%/ /g'`
	  INFO=`echo ${INFO} | sed 's/%%/ /g'`
	  
	  logtext "Scanning for presence of ${FILE} (${TYPE})... "
	  case ${TYPE} in
	    dir)
	      if [ -d "${FILE}" ]; then
		FOUNDFILE=1
	      fi
	      ;;
	    file)
	      if [ -f "{$FILE}" ]; then
		FOUNDFILE=1
	      fi
	      ;;
	  esac
	    
	done

	if [ ${FOUNDFILE} -eq 0 ]
	  then
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
	    logtext --nodate "OK"
	  else
	    INFECTED_COUNT=`expr ${INFECTED_COUNT} + 1`
	    INFECTED_NAMES="${INFECTED_NAMES} / ${INFO} "
	    logtext --nodate "WARNING!"
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
            displaytext "
            -------------------------------------------------------------------------
	    Warning found file '${FILE}'
	    Information: ${INFO}
	    -------------------------------------------------------------------------
	    "

	fi

    logtext "-------------------------- Open files tests ---------------------------"

SUSP_FILES_INFO="
adore.so:Adore%%LKM%%rootkit
mod_rootme.so:Apache%%mod_rootme%%backdoor
phide_mod.o:PID%%hider%%LKM
lbk.ko:LBK%%FreeBSD%%kernel%%module
vlogger.o:THC-Vlogger%%kernel%%module
cleaner.o:Cleaner%%kernel%%module
mod_klgr.o:klgr,%%keyboard%%logger%%(kernel%%module)
hydra:THC-Hydra%%(password%%capture)
hydra.restore:THC-Hydra%%(password%%capture)
"

    displaytext -n "   Testing running processes... "
    logtext -n "Scanning running processes... "
    SIZE="30"
    jump=`expr ${defaultcolumn} - ${SIZE}`
    
    if [ ${LSOFFOUND} -eq 1 ]
      then
	SUSP_FILES="backdoor"

	for I in ${SUSP_FILES_INFO}; do
	  FILENAME=`echo ${I} | cut -d':' -f1`
	  SUSP_FILES="${SUSP_FILES}|${FILENAME}"
	done

	SEARCHFILES=`${LSOFBINARY} -F n | sort | uniq | grep '^n/' | sed 's/^n//' | egrep "${SUSP_FILES}"`
	if [ ! "${SEARCHFILES}" = "" ]; then
	  insertlayout
	  displaytext -e "${LAYOUT}[ ${BAD}BAD${NORMAL} ]"
	  logtext --nodate "Bad"
          logtext "Warning! Found possible harmfull files. Please inspect"
          logtext "Warning! Output of test: ${SEARCHFILES}"
         else
	  insertlayout
	  displaytext -e "${LAYOUT}[ ${OK}OK${NORMAL} ]" 
	  logtext --nodate "OK"
        fi
	logtext "Scanned for '${SUSP_FILES}'"
      else
	insertlayout
	displaytext -e "${LAYOUT}[ ${YELLOW}Skipped${NORMAL} ]"
	logtext --nodate "Skipped"
	
    fi

    logtext "----------------------- Login backdoors check -------------------------"
	  

    # Miscellaneous Login backdoors

	STATUS=0
	SIZE=30
	
	displaytext -n "   Miscellaneous Login backdoors"

	for I in ${LOGIN_BACKDOORS_FILES}
	  do
            if [ -d ${I} ]; then
              STATUS=1
	      if [ ${DEBUG} -eq 1 ]; then
               logtext "${I} found! Possible part of a rootkit/trojan."
	      fi
            fi
	    if [ ${DEBUG} -eq 1 ]; then
              logtext "${I} clean"
	    fi
          done

	if [ ${STATUS} -eq 0 ]
	  then
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
	  else
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
	fi

#	STATUS=0
#	SIZE=17
#	echo -n "   Suspicious files"	
#
#	for I in ${SUSPICIOUS1_FILES}
#	  do
#	    J=`echo ${I} | cut -d ':' -f1`
#	    FINDFILE=`locate -i /${J}`
#            if [ ! "${FINDFILE}" = "" ]; then
#	        echo ${FINDFILE}
#                STATUS=1
#                logtext "${J} found! Possible part of a rootkit/trojan." >> ${DEBUGFILE}
#		FOUNDFILES="${FOUNDFILES}, "
#	      else
#	        logtext "${J} clean"
#            fi
#          done
#
#	if [ ${STATUS} -eq 0 ]
#	  then
#	    jump=`expr ${defaultcolumn} - ${SIZE}`
#	    insertlayout
#	    echo $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
#	  else
#	    jump=`expr ${defaultcolumn} - ${SIZE}`
#	    insertlayout
#	    echo $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
#	    echo "Found files:"
#	    echo "${FOUNDFILES}"
#	fi

	STATUS=0
	SIZE=26
	
	displaytext -n "   Miscellaneous directories"

	for I in ${SUSPICIOUS1_DIRS}; do
	    logtext -n "Checking ${I}... "
            if [ -f ${I} ]; then
              STATUS=1
	      if [ ${DEBUG} -eq 1 ]; then
              logtext "[ WARNING! ] Possible part of a rootkit/trojan." >> ${DEBUGFILE}
	      fi
	     else
	      logtext "[ OK ] Not found" >> ${DEBUGFILE}

            fi
          done

	if [ ${STATUS} -eq 0 ]
	  then
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
	  else
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
	fi

    # Sniffer logs

	STATUS=0
	SIZE=13

	displaytext -n "   Sniffer logs"

	for I in ${SNIFFER_FILES}; do
	    logtext -n "Checking ${I}... "
            if [ -f ${I} ]; then
              STATUS=1
	      if [ ${DEBUG} -eq 1 ]; then
              logtext "[ WARNING! ] Possible sniffer log found." >> ${DEBUGFILE}
	      fi
	     else
	      logtext "[ OK ] Not found" >> ${DEBUGFILE}
            fi
        done
	
	if [ ${STATUS} -eq 0 ]
	  then
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
	  else
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
	fi

keypresspause

    displaytext ""
    displaytext "${test}* Trojan specific characteristics${NORMAL}"

    displaytext "   shv4"
    
    SIZE="32"
    jump=`expr ${defaultcolumn} - ${SIZE}`
    displaytext -n "     Checking /etc/rc.d/rc.sysinit"
    if [ -f /etc/rc.d/rc.sysinit ]
      then
        # Insert end-of-line
        displaytext ""
        SIZE="11"
        jump=`expr ${defaultcolumn} - ${SIZE}`

        displaytext -n "       Test 1"
        if [ "`grep 'in.inetd' /etc/rc.d/rc.sysinit`" ]; then
	   insertlayout
	   displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
	  else
	   insertlayout
	   displaytext $E "${LAYOUT}[ ${OK}Clean${NORMAL} ]"
	fi
        displaytext -n "       Test 2"
        if [ "`grep 'bin/xchk' /etc/rc.d/rc.sysinit`" ]; then
	   insertlayout
	   displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} (possible Optic Kit / Tuxkit) ]"
	  else
	   insertlayout
	   displaytext $E "${LAYOUT}[ ${OK}Clean${NORMAL} ]"
	fi

        displaytext -n "       Test 3"
        if [ "`grep 'bin/xsf' /etc/rc.d/rc.sysinit`" ]; then
	   insertlayout
	   displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} (possible Optic Kit / Tuxkit) ]"
	  else
	   insertlayout
	   displaytext $E "${LAYOUT}[ ${OK}Clean${NORMAL} ]"
	fi

       else
        insertlayout
	displaytext $E "${LAYOUT}[ ${OK}Not found${NORMAL} ]"
    fi

    SIZE="27"
    jump=`expr ${defaultcolumn} - ${SIZE}`
    displaytext -n "     Checking /etc/inetd.conf"

    if [ -f /etc/inetd.conf ]
      then
        if [ "`grep in.cfinger /etc/inetd.conf`" ]; then
	   insertlayout
	   displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
	  else
	   insertlayout
	   displaytext $E "${LAYOUT}[ ${OK}Clean${NORMAL} ]"
	fi
       else
        insertlayout
	displaytext $E "${LAYOUT}[ ${OK}Not found${NORMAL} ]"
    fi


    SIZE="28"
    jump=`expr ${defaultcolumn} - ${SIZE}`
    displaytext -n "     Checking /etc/xinetd.conf"

    # Only check when operating system is Linux and we have a xinetd configuration
    if [ "${OPERATING_SYSTEM}" = "Linux" -a -f /etc/xinetd.conf ]
      then
        FOUND=0
	logtext "Operating system is Linux and /etc/xinetd.conf found. Starting xinetd configuration scan..."
	
        incl=`grep includedir /etc/xinetd.conf | cut -d" " -f2-`
        if [ "$incl" ]
        then
          I=`find $incl/ -type f`
          WARNINGMSG=""
          for J in ${I}; do
            svc=`grep ".*service." ${J} | grep -v "^#" | cut -d" " -f2-`
            FOUNDSERVICES=`grep ".*disable.*=.*yes" ${J} | grep -ve "#"`
	    if [ "${FOUNDSERVICES}" = "" ]; then
	      logtext "Info: Service ${J} enabled"	            
	    fi
          done
        fi
	if [ ${FOUND} -eq 0 ]
	  then
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}Clean${NORMAL} ]"
	    logtext "xinetd.conf seems to be clean"
	  else
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
	    displaytext "${WARNINGMSG}"
	    logtext "There were warnings found while testing xinetd.conf"
	fi

	logtext "End of xinetd configuration scan"

      else
        insertlayout
	displaytext $E "${LAYOUT}[ ${OK}Skipped${NORMAL} ]"
	logtext "Skipped xinetd tests (not Linux or file doesn't exists)"  
    fi

    displaytext ""
    displaytext "${test}* Suspicious file properties${NORMAL}"

    displaytext "   ${WHITE}chmod properties${NORMAL}"
    
    FILES="
    ${ROOTDIR}bin/ps
    ${ROOTDIR}bin/ls
    ${ROOTDIR}usr/bin/w
    ${ROOTDIR}usr/bin/who
    ${ROOTDIR}bin/netstat
    ${ROOTDIR}usr/bin/netstat
    ${ROOTDIR}bin/login"
    
    for I in ${FILES}; do

       # Calculate string length
	SIZE=`echo "${I}" | wc -c | tr -d ' '`
	SIZE=`expr ${SIZE} + 11`	  
	jump=`expr ${defaultcolumn} - ${SIZE}`
	if [ -f ${I} ]; then
	    displaytext -n "     Checking ${I}"

    	    RIGHTS=`ls -l ${I} | cut -c 1-10`
	    if [ "${RIGHTS}" = "-rwxrwxrwx" ]; then
	        insertlayout
		displaytext -e "${LAYOUT}[ ${BAD}Warning!${NORMAL} (chmod 777 found, possible trojaned) ]"
	      else
	        insertlayout
		displaytext -e "${LAYOUT}[ ${OK}Clean${NORMAL} ]"
	    fi
          else
	    logtext "Checking ${I}... Not found"
	fi

    done

    displaytext "   ${WHITE}Script replacements${NORMAL}"

    for I in ${FILES}; do

       # Calculate string length
	SIZE=`echo "${I}" | wc -c | tr -d ' '`
	SIZE=`expr ${SIZE} + 11`	  
	jump=`expr ${defaultcolumn} - ${SIZE}`
	if [ -f ${I} ]
          then

	    displaytext -n "     Checking ${I}"

            FILEOK=true
            case "${OPERATING_SYSTEM}" in
	     AIX)
               file ${I} | grep -q "shell script" && FILEOK=false
	       ;;
	    SunOS)
	       file ${I} | grep "shell script" 2>/dev/null
	       ;;
            *)
               file -b ${I} | grep -q "shell script" && FILEOK=false 
	       ;;
            esac

	    if ! $FILEOK
	      then
	        insertlayout
		displaytext -e "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
		displaytext "(script replacement found, possible trojaned)"
		logtext "Checking ${I}... [ WARNING ]"
		logtext "Possible script replacement found. Please inspect this file (check the file type, contents and size)"
	      else
	        insertlayout
		displaytext $E "${LAYOUT}[ ${OK}Clean${NORMAL} ]"
		logtext "Checking ${I}... [ OK ]"		
	    fi
          else
	    logtext "Checking ${I}... Not found"
	fi
    done


    displaytext ""
    displaytext "${test}* OS dependant tests${NORMAL}"

	if [ "${OPERATING_SYSTEM}" = "FreeBSD" ]
          then
    	    displaytext "   ${WHITE}FreeBSD${NORMAL}"
	    SIZE=38
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    displaytext -n "     Checking presence of KLD signatures"
	    STATUS=0
	
	    for I in ${KLDSTATKEYWORDS}; do
	      PRESENCE=`kldstat -v | grep ${I}`
	      if [ ! "${PRESENCE}" = "" ]; then
		STATUS=1
		FOUNDKEYS="${FOUNDKEYS}${I} "
	      fi
	    done

	    if [ "${STATUS}" -eq 1 ]
	      then
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} (found terms: ${FOUNDKEYS}) ]"
	      else
	        insertlayout
		displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
	    fi

    logtext "--------------------- Netstat / Sockstat checks -----------------------"

	    SIZE=40
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    
	    displaytext -n "     Comparing output sockstat and netstat"
	    logtext -n "Comparing output of sockstat and netstat... "
	    SOCKSTAT=`sockstat | grep '*:*' | cut -c 1-55 | grep '*:' | cut -c 39-47 | tr -d ' ' | sort| grep -v '*' | uniq`
	    NETSTAT=`netstat -an | grep -v 'TIME_WAIT' | grep -v 'ESTABLISHED' | grep -v 'SYN_SENT' | grep -v 'CLOSE_WAIT' | grep -v 'LAST_ACK' | grep -v 'SYN_RECV' | grep -v 'CLOSING' | cut -c 1-44 | grep '*.' | cut -c 24-32 | tr -d ' ' | tr -d '\t' | grep -v '*' | sort | uniq`

	    if [ "${SOCKSTAT}" = "${NETSTAT}" ]; then
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
		logtext "OK"
	      else
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
		logtext "WARNING!"
		logtext "Sockstat tested output: ${SOCKSTAT}"
		logtext "Netstat tested output: ${NETSTAT}"
	    fi

    logtext "---------------------- Packages database check ------------------------"


	    if [ -f /usr/local/sbin/pkgdb ]
	      then
	        SIZE=29
	        jump=`expr ${defaultcolumn} - ${SIZE}`
	        displaytext -n "     Checking packages database"

	        RESULT=`/usr/local/sbin/pkgdb -Fa -v | grep "Skipped."`

    	        if [ "${RESULT}" = "" ]; then
		  insertlayout
	          displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
		  logtext "OK"
	         else
		  insertlayout
	          displaytext $E "${LAYOUT}[ ${YELLOW}Please check${NORMAL} ]"
		  logtext "Your package databases seems to have inconsistenties. Please run pkgdb -F to"
		  logtext "do manually checking. Although this isn't a security issue, you need to be sure"
		  logtext "your applications are using the correct dependancies"
	        fi
	    fi
	    

#	    KLDLOADS=`grep -r 'kldload' /etc/*`
#	    for I in "${KLDLOADS}"; do
#	      echo "${I}"
#	    done


	fi

	if [ ${OPERATING_SYSTEM} = "Linux" ]
	  then
	    temp1=""; temp2=""
	    displaytext ""
    	    displaytext "   ${WHITE}Linux${NORMAL}"

	    SIZE=37
	    jump=`expr ${defaultcolumn} - ${SIZE}`

	    displaytext -n "     Checking loaded kernel modules... "

	    # Is /proc/modules file available?
	    if [ -f /proc/modules ]
	      then
    	        if [ "${KERNELVERSION}" = "2.2" -o "${KERNELVERSION}" = "2.4" ]
	          then
		    # show information found in /proc/modules (Linux-only) and get rid of the spaces
			temp1=`cat /proc/modules | sort | tr -d ' '`
	    
	    	    # show output from lsmod. Throw away spaces, because they don't match the content
		    # of /proc/modules
		    temp2=`${LSMODBINARY} | grep -v "Size  Used by" | sort | tr -d ' '`
	          else
	    	    if [ "${KERNELVERSION}" = "2.6" ]
		      then
			temp1=`cat /proc/modules | sort | tr -s ' ' | cut -d " " -f1`
			temp2=`${LSMODBINARY} | grep -v "Size  Used by" | sort | tr -s ' ' | cut -d " " -f1`
		    fi
		fi
	    fi
	    
	    if [ ! "${temp1}" = "" ]
	      then
		if [ "${temp1}" = "${temp2}"  ]
		  then
		    insertlayout
		    displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
	          else
	            insertlayout
	    	    displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} (found difference in output) ]"
	        fi
	      else
	        displaytext "${WHITE}Skipped!${NORMAL}"
		logtext "Info: no /proc/modules found. Lsmod test skipped"
	    fi
	    
#	    displaytext -n "   Checking all kernelmodules..."
	    
#	    SCANFILES=`cat ${SCANFILELIST} | grep '.o'`
#	    for J in ${SCANFILES}; do

#	      FOUNDSIGN=0
	      
	      # Search strings in file
	      # If we find something, we tell it after the last string
	      # (multiple strings will overwrite each other)
#	      for I in ${LKMSTRINGS}; do
#	        SEARCHSTRING=`echo ${I} | cut -d ':' -f1`
#	        TYPE=`echo ${I} | cut -d ':' -f2`
#	        INFO=`echo ${I} | cut -d ':' -f3`
#		if [ -f ${J} ]; then
#	          FOUND=`strings ${J} | egrep '${SEARCHSTRING}'`
#		 else
#		  # File not found, no strings returned
#		  FOUND=""
#		fi 
#	        if [ ! "${FOUND}" = "" ]; then
#	          FOUNDSIGN=1
#		  FOUNDSTRING=${FOUND}
#		  FOUNDTYPE=${TYPE}
#		  FOUNDINFO=${INFO}
#		  echo "Found: ${FOUND}"
#	        fi
#	      done
      
#	      if [ ${FOUNDSIGN} -eq 1 ]
#	        then
#		  displaytext "     Scanning ${J}"
#		  displaytext "Warning, found a possible ${FOUNDTYPE}"
#		  displaytext "Searchstring '${FOUNDSTRING}' founded in '${SEARCHSTRING}'"
#		  displaytext "Extra info: ${FOUNDINFO}"
#		  waitkeypress
#		else
#		  logtext "Scanning ${J}... [ Clean ]"
#	      fi
	      
#	    done

	logtext "--------------------------- File attributes ---------------------------"

	SIZE=28
	displaytext -n "     Checking files attributes"
	jump=`expr ${defaultcolumn} - ${SIZE}`

	FOUND=0

        if [ "${LSATTRFOUND}" -eq 1 ]
          then
            for I in ${BINPATHS}; do
	      logtext "Checking $I file attributes"
	      for J in `ls ${I}`; do
	        LSAT=`${LSATTRBINARY} ${I}/${J} | cut -c 4`
#		echo "Value '${LSAT}'"
	        if [ "${LSAT}" = "i" ]; then
	          FOUND=1
	          logtext "Found 'immutable' binary (${I}/${J})"
	        fi
	      done
	    done
	    if [ ${FOUND} -eq 0 ]; then
	      insertlayout
	      displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
	     else
              insertlayout
              displaytext $E "${LAYOUT}[ ${YELLOW}Special attributes found!${NORMAL} ]"
	      logtext "Found special attributes on some binaries! This can be performed by security software OR"
	      logtext "by a rootkit. Please inspect these files and try to find the reason of this immutable flag."
	      logtext "See 'man chattr' for more information about this attributes."
	    fi	 
	  else
	    insertlayout
	    displaytext $E "   ${file}${LAYOUT}[ ${WHITE}Skipped!${NORMAL} ]"
        fi



	# End Linux tests    
	fi

	logtext "------------------------------- Backdoors -----------------------------"



	displaytext ""; displaytext ""
	displaytext "${YELLOW}Networking${NORMAL}"

	displaytext "${test}* Check: frequently used backdoors${NORMAL}"

	if [ "${OPERATING_SYSTEM}" = "Linux" ]; then
	    donetstat="1"
	fi
	if [ "${OPERATING_SYSTEM}" = "FreeBSD" ]; then
	    donetstat="1"
	fi

	# Skip tests when GRSEC is available (because of the locking of /proc/*)
	if [ ${GRSECINSTALLED} -eq 1 ]; then
	    donetstat="0"
	fi   

	if [ "${donetstat}" = "1" ]
	  then
	    for i in `cat ${DB_PATH}/backdoorports.dat`
	      do
	        port=`echo ${i} | cut -d ':' -f 1`
		DESCRIPTION=`echo ${i} | cut -d ':' -f 2`
		DESCRIPTION=`echo ${DESCRIPTION} | sed 's/%%/ /g'`

		if [ "${OPERATING_SYSTEM}" = "Linux" ]; then
	    	    checkport=`netstat -an | grep "LISTEN" | grep ":${port} "`
		fi
	  
	        if [ "${OPERATING_SYSTEM}" = "FreeBSD" ]; then
	            checkport=`netstat -an | grep "LISTEN" | grep ".${port} "`
	        fi

		SIZE=`echo "   ${port}: ${DESCRIPTION} " | wc -c | tr -d ' '`	  
		jump=`expr ${defaultcolumn} - ${SIZE}`			
		displaytext -n "  Port ${port}: ${DESCRIPTION}"
		
		if [ "${checkport}" = "" ]
		  then
		    insertlayout
		    displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
		  else
		    insertlayout
		    displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} (possible trojan port) ]"
		fi
 	      done
	  else
	    displaytext "${YELLOW}Not tested"
	    if [ ${GRSECINSTALLED} -eq 1 ]; then
    	      logtext "Backdoor ports test skipped, due customized kernel (GRSEC)"
    	    fi   

	fi  

	displaytext ""
	displaytext "${test}* Interfaces${NORMAL}"

	SIZE=38
	jump=`expr ${defaultcolumn} - ${SIZE}`

	    displaytext -n "     Scanning for promiscuous interfaces"	    
	    LOGTEXT="Checking network interfaces (promiscuous mode)... "
	    
	    PROMISCSCAN1=""; PROMISCSCAN2=""
	   
            case "${OPERATING_SYSTEM}" in
	    AIX|OpenBSD)
	      PROMISCSCAN1=`${IFCONFIGBINARY} -a | grep -v pflog | grep 'PROMISC'`
	      ;;
	    SunOS)
	        insertlayout
	        displaytext -e "${LAYOUT}[ ${YELLOW}Skipped${NORMAL} ]"	    
	      ;;	    
	    *)
	      PROMISCSCAN1=`${IFCONFIGBINARY} | grep 'PROMISC'`
	      ;;
            esac
	    
	    if [ ${IPFOUND} -eq 1 ]; then
	      PROMISCSCAN2=`${IPBINARY} -s link | grep 'PROMISC'`
	    fi

	    if [ "${PROMISCSCAN1}" = "" -a "${PROMISCSCAN2}" = "" ]; then
	        insertlayout
	        displaytext -e "${LAYOUT}[ ${OK}OK${NORMAL} ]"
		logtext "${LOGTEXT}[ OK ]"
		if [ ${IPFOUND} -eq 1 ]; then
		  logtext "Performed succesfull test with \`ip\`"
		fi
	      else
	        insertlayout
	        displaytext -e "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
		displaytext "Found promiscuous interface. Please use option '--createlogfile' and check the logfile"
		logtext "${LOGTEXT}[ WARNING ]"
	    	logtext "Possible promisc interfaces:"
		logtext "Output test 1: ${PROMISCSCAN}"
	        if [ ! "${PROMISCSCAN2}" = "" ]; then
		  PROMISCSCAN2IFACES=`${IPBINARY} -s link | grep 'PROMISC' | tr -s ' ' | cut -d ' ' -f2 | tr -d ':'`
		  logtext "Output test 2: ${PROMISCSCAN2IFACES}"
		  
	        fi

	    fi


	
keypresspause


##################################################################################################
#
# System checks
#
##################################################################################################
	    

	displaytext ""; displaytext ""
	displaytext "${YELLOW}System checks${NORMAL}"

	displaytext "${test}* Allround tests${NORMAL}"

	displaytext -n "   Checking hostname... "
	if [ "${hostname}" = "" ]
	  then
	    displaytext "${BAD}Warning. ${NORMAL}Found empty hostname. Some programs don't like this."
	  else
	    displaytext "${OK}Found. ${NORMAL}Hostname is ${hostname}"
	fi

	if [ ${PASSWDCHECK_SKIP} -eq 0 ]
	  then
	    displaytext -n "   Checking for differences in user accounts... "
	    if [ -e "/etc/passwd" ]
	      then
	        if [ -e "${TMPDIR}/passwd" ]
		  then
		    differences=`diff /etc/passwd ${TMPDIR}/passwd | grep ":"`
		    if [ "${differences}" = "" ]
		      then
		        displaytext "${OK}OK. ${NORMAL}No changes."
		      else
			diffadded=`echo "${differences}" | grep "<"`
			diffremoved=`echo "${differences}" | grep ">"`
		        displaytext "${red}Found differences${NORMAL}"
		        displaytext "   Info: "
			displaytext "----------------------"
			displaytext "${differences}"
			displaytext "----------------------"
			if [ ! "${diffadded}" = "" ]
			  then
			    displaytext "   Info: Some items have been added (items marked with '<')"
			fi

			if [ ! "${diffremoved}" = "" ]
			  then
			    displaytext "   Info: Some items have been removed (items marked with '>')"
			fi
		    fi  
		    rm -f ${TMPDIR}/passwd
		  else
		    jump=44
		    displaytext $E "${LAYOUT}[ ${warning}NA${NORMAL} ]"

		fi

		cp /etc/passwd ${TMPDIR}/passwd
	      else
	        displaytext "${BAD}Error. ${NORMAL}Cannot find /etc/passwd"
	    fi


	    displaytext -n "   Checking for differences in user groups... "
	    if [ -e "/etc/group" ]
	      then
	        if [ -e "${TMPDIR}/group" ]
		  then
		    differences=`diff /etc/group ${TMPDIR}/group | grep ":"`
		    if [ "${differences}" = "" ]
		      then
		        displaytext "${OK}OK. ${NORMAL}No changes."
		      else
			diffadded=`echo "${differences}" | grep ">"`
			diffremoved=`echo "${differences}" | grep "<"`
		        displaytext "${red}Found differences${NORMAL}"
		        displaytext "   Info: "
			displaytext "----------------------"
			displaytext "${differences}"
			displaytext "----------------------"
			if [ ! "${diffadded}" = "" ]
			  then
			    displaytext "   Info: Some items have been added (items marked with '>')"
			fi

			if [ ! "${diffremoved}" = "" ]
			  then
			    displaytext "   Info: Some items have been removed (items marked with '<')"
			fi
		    fi  
		    rm -f ${TMPDIR}/group
		  else
		    displaytext "${warning}Creating file ${NORMAL}It seems this is your first time."
		fi

		cp /etc/group ${TMPDIR}/group
	      else
	        displaytext "${BAD}Error. ${NORMAL}Cannot find /etc/group"
	    fi
        fi


	SIZE=42
	jump=`expr ${defaultcolumn} - ${SIZE}`
	displaytext "   Checking boot.local/rc.local file... "

	# Gentoo: /etc/conf.d/local.start	
	RCLOCATIONS="/etc/rc.local /etc/rc.d/rc.local /usr/local/etc/rc.local /usr/local/etc/rc.d/rc.local /etc/conf.d/local.start /etc/init.d/boot.local"
	FOUNDRCSIGN=0

	for FILE in ${RCLOCATIONS}; do
	    FILELENGTH=`echo ${FILE} | wc -c | tr -d ' '`
	    SIZE=4
	    jump=`expr ${defaultcolumn} - ${SIZE} - ${FILELENGTH}`

	    displaytext -n "     - ${FILE}"
	    if [ -f "${FILE}" ]; then
		for J in ${RCLOCAL_STRINGS}; do
		  STRING=`echo ${J} | cut -d':' -f1`
		  FOUND=`cat ${FILE} | grep "${STRING}"`
		  if [ ! "${FOUND}" = "" ]
		    then
		      FOUNDRCSIGN=1
		      logtext "Warning! Found unusual string in ${FILE}"
		  fi
	        done
		
		if [ "${FOUNDRCSIGN}" -eq 1 ]; then
		    insertlayout
		    displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} (found unusual signs) ]"
		    logtext "Warning! Found unusual string in rc.local/boot.local file"
		  else
		    insertlayout
	            displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
		fi

	      else
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${OK}Not found${NORMAL} ]"
	   fi
	done

	FOUNDRCSIGN=0
	COUNTER=0
	
	SIZE=24
	jump=`expr ${defaultcolumn} - ${SIZE}`
	displaytext -n "   Checking rc.d files... "

	if [ -d /etc/rc.d ]
	  then
	    # Insert end-of-line
	    displaytext ""
	    displaytext -n "     Processing"
	    for I in `find /etc/rc.d/*`; do
	    # Only check files, not directories
	      if [ -f ${I} ]
		then
    	          COUNTER=`expr ${COUNTER} + 1`
	          if [ ${COUNTER} -eq 40 ]; then
	    	    displaytext "."
	    	    displaytext -n "               "
	    	    COUNTER=0
	          else
	    	    displaytext -n "."
		fi
		for J in ${RCLOCAL_STRINGS}; do
	          STRING=`echo ${J} | cut -d':' -f1`
	          FOUND=`cat ${I} | grep "${STRING}"`
	          if [ ! "${FOUND}" = "" ]
	            then
	              FOUNDRCSIGN=1
	          fi
		done
	      fi	
	    done
	    # Insert end-of-line
	    displaytext ""
	    displaytext -n "   Result rc.d files check"
	    if [ "${FOUNDRCSIGN}" -eq 1 ]; then
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} (found unusual things) ]"
	    else
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
	    fi

	  else
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}Not found${NORMAL} ]"

	fi

	if [ -f ${ROOTDIR}etc/conf.d/local.start ]
	  then
	    SIZE=37
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    displaytext -n "   Checking Gentoo local.start file... "
	    logtext "Found ${ROOTDIR}etc/conf.d/local.start file (Gentoo)"

	    INSPECTLINES=`cat ${ROOTDIR}etc//conf.d/local.start | grep -v '^#' | grep -v '^$'`
	    
		for J in ${RCLOCAL_STRINGS}; do
	          STRING=`echo ${J} | cut -d':' -f1`
	          FOUND=`echo ${INSPECTLINES} | grep "${STRING}"`
	          if [ ! "${FOUND}" = "" ]
	            then
	              FOUNDRCSIGN=1
		      logtext "Found ${FOUND} while checking ${ROOTDIR}etc/conf.d/local.start"
	          fi
		done
	    
	    if [ "${FOUNDRCSIGN}" -eq 1 ]; then
	        insertlayout
	        displaytext -e "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
	    else
	        insertlayout
	        displaytext -e "${LAYOUT}[ ${OK}OK${NORMAL} ]"
	    fi

	fi

#	logtext "---------------------------- Binary checks ----------------------------"

#	SIZE=18
#	displaytext -n "   Checking binaries..."
#	jump=`expr ${defaultcolumn} - ${SIZE}`			

#        if [ ${STRINGSFOUND} -eq 1 ]; then

#	  FOUND=0
#	  for I in ${BINPATHS}; do

#            # Calculate string length
#	    SIZE=`echo "${I}" | wc -c | tr -d ' '`
# 	    SIZE=`expr ${SIZE} + 7`	  
#	    jump=`expr ${defaultcolumn} - ${SIZE}`

#	    for J in ${I}; do
#	      for K in `ls ${J}/*`; do
#	        UPXED=`${STRINGSBINARY} ${K} | grep " UPX "`
#	        logtext -n "Checking ${K}... "
#	        if [ ! "${UPXED}" = "" ]; then
#	          FOUND=1
#		  logtext "BAD"
#		  logtext "Warning: ${J} seems to be a UPXed file. This is not usual for a binary file"
#		 else
#		  logtext "OK"
#	        fi
#	      done  	      
#	    done
#	  done
#	  
#	  # Check results
#	  if [ ${FOUND} -eq 1 ]
#	    then
#	      insertlayout
#	      displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
#	      displaytext "See logfile for more information"
#	    else
#	      insertlayout
#	      displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"    
#	  fi
#
#        else
#	      insertlayout
#	      displaytext $E "${LAYOUT}[ ${YELLOW}Skipped${NORMAL} ]"
#	fi

	logtext "---------------------------- History files ----------------------------"

	SIZE=15
	displaytext "   Checking history files"
	jump=`expr ${defaultcolumn} - ${SIZE}`			

	displaytext -n "     Bourne Shell"
	
	if [ -f /root/.bash_history ]
	  then
	    ATTRIBUTE=`ls -l /root/.bash_history | cut -c1`
	    if [ "${ATTRIBUTE}" = "l" ]
	      then
	        insertlayout
		displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} (redirection found) ]"
	      else
	        insertlayout
		displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"	    
	    fi	      
	  else
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}Not Found${NORMAL} ]"	    
	fi    

	displaytext ""
	displaytext "${test}* Filesystem checks${NORMAL}"
	displaytext -n "   Checking /dev for suspicious files... "
	    
	if [ -d ${ROOTDIR}dev ]; then
	
	  # FreeBSD (5): character special, symbolic link to,directory
	  # Linux (Debian): block special, socket, fifo (named pipe)
	  SPECIALFILES=`file "${ROOTDIR}dev/"* | $EGREP -v 'character special|block special|socket|fifo \(named pipe\)|symbolic link to|empty|directory|MAKEDEV'`
	  
	  SIZE=39
	  jump=`expr ${defaultcolumn} - ${SIZE}`			
	  
	  if [ "${SPECIALFILES}" = "" ]; then
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
	   else
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} (unusual files found) ]"
	    displaytext "---------------------------------------------"
	    displaytext "Unusual files:"
	    displaytext "${SPECIALFILES}"
	    displaytext "---------------------------------------------"
	  fi
         else
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${YELLOW}NA${NORMAL} ]"	  
	fi   

	SIZE=29
	
	displaytext -n "   Scanning for hidden files..."

	SEARCHINDIRS="/dev /bin /usr /usr/man /usr/man/man1 /usr/man/man8 /usr/bin /usr/sbin /sbin /etc"
	# Only reset status once
	STATUS=0

	for I in ${SEARCHINDIRS}; do
	  # Initialize directory
	  HIDDENDIRS=""
	  
	  logtext "Start scanning for hidden files in ${I}..."

	  if [ -d "${I}" ]; then
	    HIDDENDIRS=`${MYDIR}/lib/rkhunter/scripts/showfiles.pl ${I}`
	    logtext "Value of hiddendirs: ${HIDDENDIRS}"
	  fi
	
	  if [ ! "${HIDDENDIRS}" = "" ]; then
	    ALLHIDDENDIRS="${ALLHIDDENDIRS} $HIDDENDIRS"
            STATUS=1
   	  fi

	  logtext "End of scanning ${I}"
  
	done

	if [ ${STATUS} -eq 0 ]
	  then
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
	  else
	    # Reset state
	    STATUS=0
	    for I in ${ALLHIDDENDIRS}; do
              if [ ${OPERATING_SYSTEM} = "AIX" -o ${OPERATING_SYSTEM} = "SunOS" ] ; then
	        FILETYPE=`file ${I}|awk '{print $2}'`
              else
	        FILETYPE=`file -b ${I}`
              fi
	      
	      # Ignore some filetypes, because they are harmless
	      case ${FILETYPE} in
	        "character special (8/0)" | "character special (254/0)" | "empty")	      
	          logtext "Hidden file/dir ${I} [${FILETYPE}] seems to be OK"
		  ;;
		"TDB database"*)
		  logtext "Hidden file/dir ${I} [${FILETYPE}] seems to be OK"
		  ;;  
		*)
		  # Ignore Gentoo's zero-sized files (extra check for future use)
		  if [ ! ${GENTOO} -eq 1 -a ! "${I}" = ".keep" -a ! -z $I} ]
		    then
	              SEARCHDIR=0		    
		      if [ "${FILETYPE}" = "directory" ]; then
			  for ALLOWHIDDENDIRS in `cat ${CONFIGFILE} | egrep '^ALLOWHIDDENDIR=' | sed 's/ALLOWHIDDENDIR=//g'`; do
			    if [ "${ALLOWHIDDENDIRS}" = "${I}" ]; then
			      SEARCHDIR=1
			      logtext "Found hidden directory ${I} on whitelist"
			    fi 
			  done
		      fi
		      # Is it a directory and is it on the whitelist?
		      # searchdir: 0 = NOT on list, 1 = on list
		      if [ "${FILETYPE}" = "directory" -a ${SEARCHDIR} -eq 0 ]
		        then
		  	  STATUS=1
		          HIDDENFILES="${HIDDENFILES} ${I} (${FILETYPE}) "
		          logtext "Added ${I} (${FILETYPE}) to list of unknown hidden files/dirs"
		      fi		 
		  fi
		  ;;
	      esac
	    done

	    if [ ${STATUS} -eq 1 ]; then
	      jump=`expr ${defaultcolumn} - ${SIZE}`
	      insertlayout
	      displaytext $E "${LAYOUT}[ ${YELLOW}Warning!${NORMAL} ]"
	      logtext "WARNING, found: ${ALLHIDDENDIRS}"

    	      displaytext "---------------"
	      displaytext ${ALLHIDDENDIRS}
	      displaytext "---------------"

	      displaytext "Please inspect: ${HIDDENFILES}"
	      else
	        jump=`expr ${defaultcolumn} - ${SIZE}`
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
	    fi

	fi

keypresspause

##################################################################################################
#
# Application advisories and warnings
#
##################################################################################################


	logtext "------------------------ Application advisories -----------------------"

	displaytext ""; displaytext ""
	displaytext "${YELLOW}Application advisories${NORMAL}"
	displaytext "* Application scan"

	FOUNDSTRING=0
	SIZE=33
	displaytext -n "   Checking Apache2 modules ... "
	jump=`expr ${defaultcolumn} - ${SIZE}`

	if [ -d /etc/apache2/mods-enabled ]
	  then
    	    for I in `ls /etc/apache2/mods-enabled/*`; do
	      SEARCHSTRING=`cat ${I} | egrep 'mod_rootme.so|mod_rootme2.so'`
	      logtext -n "Checking Apache2 modules in /etc/apache2/mods-enabled ${I}... "
	      if [ ! "${SEARCHSTRING}" = "" ];
	        then
	          logtext "Warning! Possible bad module found."
	          FOUNDSTRING=1
	        else
	          logtext "OK"
	      fi
	    done

            if [ ${FOUNDSTRING} -eq 1 ]
	      then	
	        insertlayout
	        displaytext $E "   ${LAYOUT}[ ${BAD}BAD${NORMAL} ]"
	      else
	        insertlayout
	        displaytext $E "   ${LAYOUT}[ ${OK}OK${NORMAL} ]"
	    fi

	  else
	    insertlayout
	    displaytext $E "   ${LAYOUT}[ ${OK}Not found${NORMAL} ]"  
	fi


	FOUNDSTRING=0

	SIZE=38
	displaytext -n "   Checking Apache configuration ... "
	jump=`expr ${defaultcolumn} - ${SIZE}`

        for I in ${HTTPDCONFS}; do
	      if [ -f ${I} ]	
		then	
	          SEARCHSTRING=`cat ${I} | egrep 'mod_rootme.so|mod_rootme2.so'`
	          if [ ! "${SEARCHSTRING}" = "" ]; then
	            # Found evil module
	            FOUNDSTRING=1
		  fi
	      fi
        done

        if [ ${FOUNDSTRING} -eq 1 ]
	  then	
	    insertlayout
	    displaytext $E "   ${LAYOUT}[ ${BAD}BAD${NORMAL} ]"
          else
	    insertlayout
	    displaytext $E "   ${LAYOUT}[ ${OK}OK${NORMAL} ]"
        fi



	logtext "---------------------- Application version check ----------------------"


	if [ ${APPLICATION_CHECK} -eq 1 ]
	  then

    	    displaytext ""
	    displaytext "* Application version scan"


BINPATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /usr/local/libexec /usr/libexec"

SCANFILES="
clamd:ClamAV:
exim:Exim%%MTA:
gpg:GnuPG:
httpd:Apache:
named:Bind%%DNS:
openssl:OpenSSL:
php:PHP:
procmail:Procmail%%MTA:
proftpd:ProFTPd:
sshd:OpenSSH:
"

#mc:Midnight%%Commander:

LINUX_KERNELS="
vulnerable:%2.4.22%2.4.23%
nonvulnerable:%2.4.24%
"

	  FOUND=0
	  FOUNDUNKNOWN=0

for J in ${SCANFILES}; do
    APPLICATION=`echo ${J} | cut -d ':' -f1`
    APPLICATIONNAME=`echo ${J} | cut -d ':' -f2`
    VULNERABLE=`cat ${DB_PATH}/programs_bad.dat | cut -d ':' -f2`
    NONVULNERABLE=`cat ${DB_PATH}/programs_good.dat | cut -d ':' -f2`
    logtext "----------------------------------------------------------"
    logtext "Scanning ${APPLICATIONNAME}..."

  FILEFOUND=0
  for I in ${BINPATHS}; do

    if [ -f "${I}/${APPLICATION}" ]
      then
        FILEFOUND=1
        VERSION=""
        case ${APPLICATION} in
          clamd)
                VERSION=`${I}/clamd --version | grep 'ClamAV version' | awk '{ print $5 }'`
                ;;

          exim)
                VERSION=`${I}/exim -bV | grep 'Exim version' | awk '{ print $3 }'`
                ;;
          gpg)
                VERSION=`${I}/gpg --version | grep 'GnuPG' | awk '{ print $3 }'`
                ;;
          httpd)
                VERSION=`${I}/httpd -v | grep 'Apache' | cut -d ' ' -f3 | cut -d '/' -f2`
                ;;
#          mc)
#                VERSION=`${I}/mc -V | head -n 1 2> /tmp/mc.txt && cat /tmp/mc.txt | grep 'Midnight Commander' | sed 's/GNU Midnight Commander//' | awk '{ print $4 }' && rm -f /tmp/mc.txt`
#                ;;
          named)
                VERSION=`${I}/named -v | grep 'named' | grep -v '/' | awk '{ print $2 }'`
                if [ ! "`echo ${VERSION} | grep "-"`" = "" ]
                  then
                    VERSION=`echo ${VERSION} | cut -d '-' -f1`
                fi
                ;;
	  openssl)
		VERSION=`${I}/openssl version | head -n 1 | cut -d' ' -f2`
		;;
          php)
                VERSION=`${I}/php -v | head -n 1 | awk '{ print $2 }'`
                ;;
          procmail)
                VERSION=`${I}/procmail -v 2> /tmp/procmail.txt && cat /tmp/procmail.txt | grep 'procmail v' | awk '{ print $2 }' | tr -d 'v' && rm -f /tmp/procmail.txt`
                ;;
          proftpd)
                VERSION=`${I}/proftpd -v 2> /tmp/proftpd.txt && cat /tmp/proftpd.txt | awk '{ print $4 }' && rm -f /tmp/proftpd.txt`
                ;;
          squid)
                VERSION=`${I}/squid -v | grep 'Squid Cache' | awk '{ print $4 }'`
                ;;
          sshd)
                VERSION=`${I}/sshd -t -d 2> /tmp/openssh.txt && cat /tmp/openssh.txt | head -n 1 | awk '{ print $4 }' | cut -d '_' -f2 && rm -f /tmp/openssh.txt`
                ;;
          *)
                displaytext "Unknown"
                VERSION="NA"
                ;;
        esac

        logtext "${I}/${APPLICATION} found"

        VERSION=`echo ${VERSION} | tr -d '\r'`

        if [ "${VERSION}" = "" ]
          then
            logtext "No version found of application ${APPLICATION}"
            APPLICATIONNAME=`echo ${APPLICATIONNAME} | tr -s '%' ' '`
                displaytext -n "   - ${APPLICATIONNAME} [unknown] "

		JUMPCOL=`expr ${defaultcolumn} - 12`
		SIZE=`echo \'${APPLICATIONNAME} [unknown]\' | wc -c | tr -s ' ' | tr -d ' '`
		jump=`expr ${JUMPCOL} - ${SIZE} + 11`
		insertlayout
		displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"	    

          else
            APPLICATIONNAME=`echo ${APPLICATIONNAME} | tr -s '%' ' '`
                displaytext -n "   - ${APPLICATIONNAME} ${VERSION} "

		JUMPCOL=`expr ${defaultcolumn} - 12`
		SIZE=`echo \'${APPLICATIONNAME} ${VERSION}\' | wc -c | tr -s ' ' | tr -d ' '`
		jump=`expr ${JUMPCOL} - ${SIZE} + 11`
		insertlayout
		
                ISVULNERABLE=`echo ${VULNERABLE} | grep "%${VERSION}%"`
                if [ "${ISVULNERABLE}" = "" ]
                  then
                    ISNONVULNERABLE=`echo ${NONVULNERABLE} | grep "%${VERSION}%"`
                    if [ "${ISNONVULNERABLE}" = "" ]
                      then
                        logtext "No information available. Unknown version number"
			displaytext $E "${LAYOUT}[ ${YELLOW}Unknown${NORMAL} ]"	    			
			FOUNDUNKNOWN=1
                      else
                        logtext "Version ${VERSION} is available in non-vulnerable group and seems to be OK!"
			displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"	    
                    fi
                  else
                    logtext "Version ${VERSION} seems to be vulnerable (if unpatched)!"
                    displaytext $E "${LAYOUT}[ ${BAD}Vulnerable${NORMAL} ]"	    
		    FOUND=1
                fi
        fi
    fi
  done

if [ ${FILEFOUND} -eq 0 ]
  then
    logtext "Application not found"
fi

done

#if [ `uname` = "Linux" ]
#  then
#    KERNELVERSION=`uname -r`
#      # Strip hypens (-)
#      if [ ! `echo ${KERNELVERSION} | grep '-'` = "" ]
#        then
#          KERNELVERSION=`echo ${KERNELVERSION} | cut -d '-' -f1`
#      fi
#
#    displaytext -n "Search information for Linux kernel ${KERNELVERSION}..."
#
#    FOUND=0
#    VULNERABLE=0
#    for I in ${LINUX_KERNELS}; do
#      TYPE=`echo ${I} | cut -d ':' -f1`
#      INFO=`echo ${I} | cut -d ':' -f2`
#
#      if [ "${TYPE}" = "nonvulnerable" ]
#        then
#          GOODVERSIONS=`echo ${INFO} | sed -e "s/%/, /g" | sed -e "s/^, //"  | sed -e "s/, $//"`
#      fi
#
#      if [ ! "`echo ${INFO} | grep "${KERNELVERSION}"`" = "" -o ! "`echo ${INFO} | grep "${KERNELVERSION}-"`" = "" ]
#        then
#          if [ "${TYPE}" = "vulnerable" ]
#            then
#              FOUND=1
#              VULNERABLE=1
#              displaytext "Possible vulnerable kernel version!"
#          fi
#
#          if [ "${TYPE}" = "nonvulnerable" ]
#            then
#              FOUND=1
#              displaytext "Found a non-vulnerable kernel version"
#          fi
#      fi
#    done
#    if [ "${FOUND}" -eq 0 ]
#      then
#        displaytext "Unknown version"
#      else
#        if [ "${VULNERABLE}" -eq 1 ]
#          then
#            displaytext "Please upgrade to a higher version like ${GOODVERSIONS}"
#        fi
#    fi
#  else
#    displaytext "Linux kernel check skipped"
#fi

displaytext ""
if [ $FOUNDUNKNOWN -eq 1 ]; then
  displaytext "Your system contains some unknown version numbers. Please run Rootkit Hunter"
  displaytext "with the --update parameter or fill in the contact form (www.rootkit.nl)"
fi

fi
# end of application test CHECK (application_check=1)




##################################################################################################
#
# Security advisories
#
##################################################################################################


	displaytext ""; displaytext ""
	displaytext "${YELLOW}Security advisories${NORMAL}"
	logtext "------------------------- Security advisories -------------------------"

	SIZE=30
	jump=`expr ${defaultcolumn} - ${SIZE}`			


	    displaytext "${test}* Check: Groups and Accounts${NORMAL}"
	    displaytext -n "   Searching for /etc/passwd... "
	    if [ -e "${ROOTDIR}etc/passwd" ]
	      then
	        insertlayout
		displaytext $E "${LAYOUT}[ ${OK}Found${NORMAL} ]"	    
    	        displaytext -n "   Checking users with UID '0' (root)... "

		SIZE=39
		jump=`expr ${defaultcolumn} - ${SIZE}`			

		users_with_uid0=`grep -v '^:0:0:::' ${ROOTDIR}etc/passwd | grep ":0:" | cut -d ":" -f1,3 | grep '0' | grep -v 'root:0'` 
		    #backup: users_with_uid0=`cat ${ROOTDIR}etc/passwd | grep ":0:" | cut -d ":" -f1,3 | grep '0' | grep -v 'root:0'`
		    if [ "${users_with_uid0}" = "" ] 
		      then
		        insertlayout
			displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"	    
		      else
		        insertlayout
			displaytext $E "${LAYOUT}[ ${YELLOW}Warning!${NORMAL} (some users in root group) ]"
			displaytext "    info: ${users_with_uid0}"
		    fi
	    
	      else
	        insertlayout
		displaytext $E "${LAYOUT}[ ${BAD}Not Found${NORMAL} ]"	    
	    fi	



	displaytext "";
	displaytext "${test}* Check: SSH${NORMAL}"


	SIZE=39
	jump=`expr ${defaultcolumn} - ${SIZE}`			
	
	displaytext "   Searching for sshd_config... "
	SSHDCONFIG_PLACES="${ROOTDIR}etc ${ROOTDIR}etc/ssh ${ROOTDIR}usr/local/etc ${ROOTDIR}usr/local/etc/ssh"
	for I in ${SSHDCONFIG_PLACES}; do
	    
	  if [ -e "${I}/sshd_config" ]	
	    then
	        FOUND=0
		displaytext "   Found ${I}/sshd_config"
		displaytext -n "   Checking for allowed root login... "
		permitrootlogin=`cat ${I}/sshd_config | grep "PermitRootLogin" | grep -v "#"`
		
		if [ "${permitrootlogin}" = "PermitRootLogin yes" -o "${permitrootlogin}" = "PermitRootLogin without-password" ]
	          then
		    FOUND=1
		    logtext "Info: Found 'PermitRootLogin yes' or 'PermitRootLogin without-password'. Unsafe for production servers..."
		    logtext "Tip: Change the option in your configuration file (${I}/sshd_config)."
		    logtext "     Use normal user accounts and 'su' to obtain root permissions."
	          else
		    permitrootlogin2=`cat ${I}/sshd_config | grep "PermitRootLogin no" | grep -v "#"`
		    if [ "${permitrootlogin2}" = "PermitRootLogin no" ]
		      then
		        FOUND=0
			logtext "Info: Found 'PermitRootLogin no'"
		      else
			permitrootlogin3=`cat ${I}/sshd_config | grep "#PermitRootLogin yes"`
			if [ ! "${permitrootlogin3}" = "" ]
			  then
			    FOUND=1
			    logtext "Info: Found no explicit values, but a default value of 'yes'"
			  else
			    FOUND=0
			    logtext "Unknown PermitRootLogin state"
		        fi
		    fi
		fi

		if [ ${FOUND} -eq 1 ]
		  then
		    displaytext "${red}Watch out ${NORMAL}Root login possible. Possible risk!"
		    displaytext "Hint: see logfile for more information"
		    displaytext "    info: ${permitrootlogin}"
		    displaytext "    Hint: See logfile for more information about this issue"
		    logtext "Warning: root login possible. Change for your safety the 'PermitRootLogin'"
		    logtext "(into 'no') and use 'su -' to become root. "
		  else
		    SIZE=36
		    jump=`expr ${defaultcolumn} - ${SIZE}`			
		    insertlayout
		    displaytext -e "${LAYOUT}[ ${OK}OK${NORMAL} (Remote root login disabled) ]"
		fi


		displaytext -n "   Checking for allowed protocols... "
	    
		protocols=`cat ${I}/sshd_config | grep "Protocol 2" | grep -v "#"`
		if [ "${protocols}" = "Protocol 2" ]
		  then
		    SIZE=35
		    jump=`expr ${defaultcolumn} - ${SIZE}`			
		    insertlayout
		    displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} (Only SSH2 allowed) ]"	    
		  else
		    if [ "${protocols}" = "Protocol 2,1" -o "${protocols}" = "Protocol 1,2" -o "${protocols}" = "Protocol 1" ]
		      then
		        SIZE=35
		        jump=`expr ${defaultcolumn} - ${SIZE}`			
			insertlayout
		        displaytext $E "${LAYOUT}[ ${YELLOW}Warning${NORMAL} ]"
		        displaytext "    info: Users can use SSH1-protocol (see logfile for more information)."
			logtext "Hint: Change the 'Protocol xxx' line into 'Protocol 2'"
		      else
		        SIZE=35		      
		        jump=`expr ${defaultcolumn} - ${SIZE}`			
			insertlayout
			protocols=`cat ${I}/sshd_config | grep "#Protocol"`
			if [ "${protocols}" = "#Protocol 2,1" -o "${protocols}" = "#Protocol 1,2" ]
			  then
			    FOUND=1
			    logtext "Found default option Protocol 2,1"
			fi
			if [ "${protocols}" = "#Protocol 1" ]
			  then
			    FOUND=1
			    logtext "Found default option Protocol 1"
			fi

			if [ ${FOUND} -eq 0 ] 
		          then			    
			    displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} (Only SSH2 allowed) ]"	    
			    displaytext "    info: found no option, most times default value is used."
			  else
			    displaytext $E "${LAYOUT}[ ${YELLOW}Warning${NORMAL} (SSH v1 allowed) ]"	    
			    logtext "Warning: SSH version 1 possible allowed!"
			    logtext "Hint: Change the 'Protocol xxx' line into 'Protocol 2'"
			fi
		    fi
		fi
	  fi
 
	done

 
	displaytext "";
	displaytext "${test}* Check: Events and Logging${NORMAL}"
	displaytext -n "   Search for syslog configuration... "

        SIZE=36
        jump=`expr ${defaultcolumn} - ${SIZE}`			


	if [ -e "/etc/syslog.conf" -o -e "/etc/syslog-ng/syslog-ng.conf" ]
	  then
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"	    		    
	    SIZE=38
	    jump=`expr ${defaultcolumn} - ${SIZE}`			

	    displaytext -n "   Checking for running syslog slave... "
	    
		case "${OPERATING_SYSTEM}" in
		  SunOS)
		    syslogisrunning=`ps -ef | grep syslogd | grep -v "grep"`
		    syslogngisrunning=`ps -ef | grep syslog-ng | grep -v "grep"`
		    ;;		
		  *)
		    syslogisrunning=`ps ax | grep syslogd | grep -v "grep"`
		    syslogngisrunning=`ps ax | grep syslog-ng | grep -v "grep"`
		    ;;
		esac
		
		if [ ! "${syslogisrunning}" = "" -o ! "${syslogngisrunning}" = "" ]
		  then
		    insertlayout
		    displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"	    		    
		  else
		    insertlayout
		    displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
		    displaytext "    Info: Cannot find syslog/syslog-ng daemon"
	    	fi
		    
	    SIZE=42
	    jump=`expr ${defaultcolumn} - ${SIZE}`			

	    displaytext -n "   Checking for logging to remote system... "

	    # First do syslog	    
	    if [ -e /etc/syslog.conf ]
	      then
		logtoremote=`cat /etc/syslog.conf | grep "@" | grep -v "#"`
	      else
	        # Second try syslog-ng
	        if [ -e /etc/syslog-ng/syslog-ng.conf ]
		  then
		    # Yes, we found the configuration file
		    logtoremote=`cat /etc/syslog-ng/syslog-ng.conf | grep "@" | grep -v "#"`		  		    
		  else
		    displaytext $E "${LAYOUT}[ ${YELLOW}NA${NORMAL} ]"
		    displaytext "Warning: Cannot find syslog-ng configuration file"
		    logtext "Info: Cannot find syslog-ng configuration file"
		fi
	    fi

	    if [ "${logtoremote}" = "" ]
	      then
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} (no remote logging) ]"	    
	      else
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} (remote logging) ]"
	        displaytext "    info: ${logtoremote}"
	        logtext "Info: line found with logging to remote host ($logtoremote)"
	    fi

	fi

	
keypresspause

        if [ ${OPERATING_SYSTEM} = "AIX" ] ; then
         ENDTIME=$SECONDS
        else
         ENDTIME=`date +%s`
        fi
	TOTALTIME=`expr ${ENDTIME} - ${BEGINTIME}`
	
	displaytext ""; displaytext ""
	displaytext "---------------------------- Scan results ----------------------------"
	displaytext ""
	displaytext "${YELLOW}MD5${NORMAL}"
	displaytext "MD5 compared: ${MD5_COUNT}"
	displaytext -n "Incorrect MD5 checksums: "	
	if [ "${MD5_DIFFERENT}" -eq 0 ]; then
	    displaytext -n "${OK}"
	  else
	    displaytext -n "${BAD}"
	fi
	displaytext "${MD5_DIFFERENT}${NORMAL}"
	displaytext ""
	displaytext "${YELLOW}File scan${NORMAL}"
	displaytext "Scanned files: ${SCANNED_COUNT}"
	displaytext -n "Possible infected files: "
	if [ "${INFECTED_COUNT}" -eq 0 ]; then
	    displaytext -n "${OK}"
	  else
	    displaytext -n "${BAD}"
	fi
	displaytext "${INFECTED_COUNT}${NORMAL}"
	logtext "Scanned for: ${ROOTKIT_TESTS}"
	if [ ! "${INFECTED_NAMES}" = "" ]; then
	  displaytext "Possible rootkits: ${INFECTED_NAMES}"
	fi
	displaytext ""
	displaytext "Scanning took ${TOTALTIME} seconds"

	if [ "${REPORTMODE}" -eq 0 ];
	  then
	    if [ "${DEBUGLOG}" -eq 1 ]; then
	      displaytext "Scan results written to logfile (${DEBUGFILE})"
	    fi
	  
	    displaytext ""
	    displaytext "-----------------------------------------------------------------------"
	    displaytext ""
	    displaytext "Do you have some problems, undetected rootkits, false positives, ideas"
	    displaytext "or suggestions?"
	    displaytext "Please e-mail me by filling in the contact form (@http://www.rootkit.nl)"
	    displaytext ""
	    displaytext "-----------------------------------------------------------------------"
	  else

	    # Force output (because we are in quiet mode)
	    echo "* MD5 scan"
	    echo "MD5 compared            : ${MD5_COUNT}"
	    echo "Incorrect MD5 checksums : ${MD5_DIFFERENT}"
	    echo ""
	    echo "* File scan"
	    echo "Scanned files: ${SCANNED_COUNT}"
            echo "Possible infected files: ${INFECTED_COUNT}"
	    echo ""
	    echo "* Rootkits"
	    echo "Possible rootkits: ${INFECTED_NAMES}"
	    echo ""
	    echo "Scanning took ${TOTALTIME} seconds"
	    echo ""
	    echo "*important*"
	    echo "Scan your system sometimes manually with full output enabled!"
       fi
       
       if [ $CATLOGFILE -eq 1 ]; then
         cat $DEBUGFILE
       fi
       
       if [ ${WARNING} -eq 1 ]
         then
	 
	   if [ ${SHOWWARNINGSONLY} -eq 1 ]; then
	     echo "-----------------------------------------------------------------"
	     echo ""
	     echo "Found warnings:"
	     cat $DEBUGFILE | egrep "Warning|WARNING|BAD|Bad|Vulnerable"
	     echo ""
	     echo "-----------------------------------------------------------------"
	     echo ""
	     echo "If you're unsure about the results above, please contact the author of"
	     echo "Rootkit Hunter. Fill in contact form: http://www.rootkit.nl/contact/"
	   fi
	   if [ ! "${MAILONWARNING}" = "" ]; then
	     echo "Please inspect this machine, because it can be infected" | mail -s [rkhunter]\ Warnings\ found\ for\ ${hostname} ${MAILONWARNING}
	   fi
	
	   # If we use the --quiet option, tell the user he has to inspect the machine
	   if [ ${QUIET} -eq 1 ]; then
	     echo "Some errors has been found while checking. Please perform a manual check on this machine ${hostname}"
	   fi

	   # Something was wrong. So end with a nonzero exit state for scripters/coders ;-)
           exit 1
   
	 else
	   exit 0
       fi
       
  else

    if [ ! ${NOARGS} -eq 1 -a ${VERSIONCHECK} -eq 0 -a ${UPDATE} -eq 0 ]; then
      displaytext "You don't want to check your system?"
      displaytext "Please submit a parameter like --checkall or --cronjob"
    fi
fi

if [ "${UPDATE}" -eq 1 ]
  then
    displaytext "Running updater..."
    displaytext ""
    ${MYDIR}/lib/rkhunter/scripts/check_update.sh ${CONFIGFILE} ${MIRRORFILE} ${DB_PATH} ${md5} ${DEBUGFILE}
    displaytext ""
    displaytext "Ready."
fi

if [ "${VERSIONCHECK}" -eq 1 ]
  then
    LATESTVERSION="unknown"

    if [ -f ${TMPDIR}/rkhunter.upd ]; then
      rm -f ${TMPDIR}/rkhunter.upd
    fi

    URLPREFIX=`cat ${DB_PATH}/mirrors.dat | grep -v 'version=' | head -n 1 | cut -d '=' -f2`

    VERSIONUPDATEURL=`cat ${CONFIGFILE} | grep 'LATESTVERSION=' | sed 's/LATESTVERSION=//g'`
  
    if [ "${WGETFOUND}" -eq 1 ]
      then
	  ${WGETBINARY} -q -O ${TMPDIR}/rkhunter.upd ${URLPREFIX}${VERSIONUPDATEURL}
	  displaytext "${URLPREFIX}${VERSIONUPDATEURL}"
	  LATESTVERSION=`cat ${TMPDIR}/rkhunter.upd`
    fi

    displaytext ""
    echo "${PROGRAM_NAME} ${PROGRAM_version}, copyright ${PROGRAM_author}"
    echo ""
    echo "This version:   ${PROGRAM_version}"
    echo "Latest version: ${LATESTVERSION}"
    
    if [ "${LATESTVERSION}" = "" ]; then
      LATESTVERSION="unknown"
    fi
    
    if [ ! "${PROGRAM_version}" = "${LATESTVERSION}" ]
      then
        if [ "${LATESTVERSION}" = "unknown"  ]
	  then
	    echo "Can't fetch latest version number."
	    echo "${WHITE}Please check manually for updates${NORMAL}"
	  else
            echo "${WHITE}Update available${NORMAL}"
	fi	  
    fi

    echo "" ; echo ""; echo ""
fi   
  

if [ "${NOARGS}" -eq 1 ]
  then
    echo $ECHOOPT "${PROGRAM_license}"
    echo $ECHOOPT ""
    echo $ECHOOPT "Valid parameters:"
    echo $ECHOOPT "--checkall (-c)           : Check system"
    echo $ECHOOPT "--createlogfile*          : Create logfile"
    echo $ECHOOPT "--cronjob                 : Run as cronjob (removes colored layout)"
    echo $ECHOOPT "--display-logfile         : Show logfile at end of the output"    
    echo $ECHOOPT "--help (-h)               : Show this help"
    echo $ECHOOPT "--nocolors*               : Don't use colors for output"
    echo $ECHOOPT "--report-mode*            : Don't show uninteresting information for reports"
    echo $ECHOOPT "--report-warnings-only*   : Show only warnings (lesser output than --report-mode,"
    echo $ECHOOPT "                            more than --quiet)"
    echo $ECHOOPT "--skip-application-check* : Don't run application version checks"
    echo $ECHOOPT "--skip-keypress*          : Don't wait after every test (non-interactive)"
    echo $ECHOOPT "--quick*                  : Perform quick scan (instead of full scan)"
    echo $ECHOOPT "--quiet*                  : Be quiet (only show warnings)"    
    echo $ECHOOPT "--update                  : Run update tool and check for database updates"
    echo $ECHOOPT "--version                 : Show version and quit"
    echo $ECHOOPT "--versioncheck            : Check for latest version"    
    echo $ECHOOPT ""
    echo $ECHOOPT "--bindir <bindir>*        : Use <bindir> instead of using default binaries"
    echo $ECHOOPT "--configfile <file>*      : Use different configuration file"    
    echo $ECHOOPT "--dbdir <dir>*            : Use <dbdir> as database directory"        
    echo $ECHOOPT "--rootdir <rootdir>*      : Use <rootdir> instead of / (slash at end)"
    echo $ECHOOPT "--tmpdir <tempdir>*       : Use <tempdir> as temporary directory"    
    echo $ECHOOPT ""
    echo $ECHOOPT "Explicit scan options:"    
    echo $ECHOOPT "--disable-md5-check*      : Disable MD5 checks"
    echo $ECHOOPT "--disable-passwd-check*   : Disable passwd/group checks"
    echo $ECHOOPT "--scan-knownbad-files*    : Perform besides 'known good' check a 'known bad' check"    
    echo $ECHOOPT ""
    echo $ECHOOPT "Multiple parameters are allowed"
    echo $ECHOOPT "*) Parameter can only be used with other parameters"
    echo $ECHOOPT ""
    echo $ECHOOPT "${PROGRAM_extrainfo}"
    echo $ECHOOPT ""
fi    

# end of parameter check

# 
# To Do:
#
# - FreeBSD MD5 test:
# ( md5 -x | grep -v 'verified correct' | grep -v 'MD5 test suite:' )
# Portacelo:
# String: 'big mess of a failure', 'Here today, gone tommorow' (sshd)
# find `lsof -F n | sort | uniq | grep '^n/' | cut -b 2,256 | egrep 'ASCII|ELF'` | cut -d ':' -f1
#
#
#################################################################################
#
# Big thanks to:
# - Iain Roberts: AIX and OpenBSD support
# - unSpawn @ rootshell.be
# - Doncho N. Gunchev
# - Steph: testing
#
#################################################################################


# The End
